From 71d2c59b5c5dc6d193f9fe44dd66cae871a83462 Mon Sep 17 00:00:00 2001 From: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Date: Thu, 23 May 2024 00:11:50 +0530 Subject: [PATCH] Back-porting Version Trimming (#3681) --- .github/workflows/lock-versions.yml | 2 +- detection_rules/devtools.py | 71 +- detection_rules/etc/stack-schema-map.yaml | 59 +- detection_rules/etc/version.lock.json | 2570 +---------------- docs/versioning.md | 26 + rules/apm/apm_403_response_to_a_post.toml | 4 +- .../apm_405_response_method_not_allowed.toml | 4 +- rules/apm/apm_sqlmap_user_agent.toml | 4 +- ..._google_drive_malicious_file_download.toml | 17 +- ...and_and_control_non_standard_ssh_port.toml | 23 +- ...s_cookies_chromium_browsers_debugging.toml | 14 +- ..._evasion_agent_spoofing_mismatched_id.toml | 11 +- ...evasion_agent_spoofing_multiple_hosts.toml | 15 +- ...e_evasion_deleting_websvr_access_logs.toml | 15 +- ...deletion_of_bash_command_line_history.toml | 28 +- ...sion_elastic_agent_service_terminated.toml | 16 +- ...ion_masquerading_space_after_filename.toml | 13 +- .../defense_evasion_timestomp_touch.toml | 18 +- .../discovery_security_software_grep.toml | 27 +- ...y_virtual_machine_fingerprinting_grep.toml | 13 +- ...on_pentest_eggshell_remote_admin_tool.toml | 13 +- .../execution_revershell_via_shell_cmd.toml | 25 +- ...xecution_suspicious_jar_child_process.toml | 31 +- ...tion_suspicious_java_netcon_childproc.toml | 14 +- .../guided_onboarding_sample_rule.toml | 4 +- .../impact_hosts_file_modified.toml | 21 +- ..._access_zoom_meeting_with_no_passcode.toml | 10 +- ...ultiple_alerts_different_tactics_host.toml | 11 +- .../multiple_alerts_involving_user.toml | 11 +- ...l_access_modify_auth_module_or_config.toml | 30 +- ...ersistence_shell_profile_modification.toml | 25 +- ...ence_ssh_authorized_keys_modification.toml | 49 +- ...lege_escalation_echo_nopasswd_sudoers.toml | 13 +- ...ation_setuid_setgid_bit_set_via_chmod.toml | 13 +- ...ilege_escalation_sudo_buffer_overflow.toml | 16 +- ...privilege_escalation_sudoers_file_mod.toml | 26 +- .../threat_intel_indicator_match_address.toml | 52 +- .../threat_intel_indicator_match_hash.toml | 64 +- ...threat_intel_indicator_match_registry.toml | 51 +- .../threat_intel_indicator_match_url.toml | 52 +- ...collection_cloudtrail_logging_created.toml | 12 +- ...cess_aws_getpassword_for_ec2_instance.toml | 5 +- ...ccess_aws_iam_assume_role_brute_force.toml | 8 +- ...ial_access_iam_user_addition_to_group.toml | 4 +- ...w_terms_secretsmanager_getsecretvalue.toml | 16 +- ...cess_root_console_failure_brute_force.toml | 14 +- ...se_evasion_cloudtrail_logging_deleted.toml | 13 +- ..._evasion_cloudtrail_logging_suspended.toml | 13 +- ...nse_evasion_cloudwatch_alarm_deletion.toml | 12 +- ..._evasion_config_service_rule_deletion.toml | 12 +- ...vasion_configuration_recorder_stopped.toml | 4 +- ...defense_evasion_ec2_flow_log_deletion.toml | 13 +- ...ense_evasion_ec2_network_acl_deletion.toml | 12 +- ...n_elasticache_security_group_creation.toml | 4 +- ...he_security_group_modified_or_deleted.toml | 4 +- ...calation_aws_suspicious_saml_activity.toml | 12 +- ...e_evasion_guardduty_detector_deletion.toml | 4 +- ...53_dns_query_resolver_config_deletion.toml | 5 +- ...sion_s3_bucket_configuration_deletion.toml | 12 +- .../aws/defense_evasion_waf_acl_deletion.toml | 12 +- ...asion_waf_rule_or_rule_group_deletion.toml | 12 +- ..._ec2_ami_shared_with_separate_account.toml | 5 +- ..._full_network_packet_capture_detected.toml | 13 +- ...ltration_ec2_snapshot_change_activity.toml | 4 +- .../exfiltration_ec2_vm_export_failure.toml | 13 +- .../aws/exfiltration_rds_snapshot_export.toml | 12 +- .../exfiltration_rds_snapshot_restored.toml | 12 +- ..._eventbridge_rule_disabled_or_deleted.toml | 4 +- .../impact_cloudtrail_logging_updated.toml | 14 +- .../impact_cloudwatch_log_group_deletion.toml | 14 +- ...impact_cloudwatch_log_stream_deletion.toml | 4 +- .../impact_ec2_disable_ebs_encryption.toml | 12 +- ...mpact_efs_filesystem_or_mount_deleted.toml | 4 +- .../aws/impact_iam_deactivate_mfa_device.toml | 13 +- .../aws/impact_iam_group_deletion.toml | 12 +- ...mk_disabled_or_scheduled_for_deletion.toml | 13 +- .../aws/impact_rds_group_deletion.toml | 12 +- .../impact_rds_instance_cluster_deletion.toml | 13 +- .../impact_rds_instance_cluster_stoppage.toml | 13 +- .../initial_access_console_login_root.toml | 6 +- .../aws/initial_access_password_recovery.toml | 13 +- .../initial_access_via_system_manager.toml | 4 +- .../ml_cloudtrail_error_message_spike.toml | 15 +- .../aws/ml_cloudtrail_rare_error_code.toml | 15 +- .../ml_cloudtrail_rare_method_by_city.toml | 15 +- .../ml_cloudtrail_rare_method_by_country.toml | 15 +- .../ml_cloudtrail_rare_method_by_user.toml | 15 +- .../persistence_ec2_network_acl_creation.toml | 13 +- ..._group_configuration_change_detection.toml | 13 +- .../aws/persistence_iam_group_creation.toml | 13 +- .../aws/persistence_rds_cluster_creation.toml | 13 +- .../aws/persistence_rds_group_creation.toml | 12 +- .../persistence_rds_instance_creation.toml | 13 +- ...ersistence_redshift_instance_creation.toml | 13 +- ...oute_53_domain_transfer_lock_disabled.toml | 13 +- ...domain_transferred_to_another_account.toml | 13 +- ..._53_hosted_zone_associated_with_a_vpc.toml | 13 +- .../aws/persistence_route_table_created.toml | 13 +- ...tence_route_table_modified_or_deleted.toml | 13 +- ...ege_escalation_root_login_without_mfa.toml | 6 +- ...ilege_escalation_sts_assumerole_usage.toml | 13 +- ..._escalation_sts_getsessiontoken_abuse.toml | 13 +- ...ege_escalation_updateassumerolepolicy.toml | 6 +- ...collection_update_event_hub_auth_rule.toml | 5 +- ..._full_network_packet_capture_detected.toml | 4 +- .../credential_access_key_vault_modified.toml | 4 +- ...ccess_storage_account_key_regenerated.toml | 11 +- ...e_application_credential_modification.toml | 11 +- ...sion_azure_automation_runbook_deleted.toml | 4 +- ...asion_azure_blob_permissions_modified.toml | 12 +- ...on_azure_diagnostic_settings_deletion.toml | 4 +- ...sion_azure_service_principal_addition.toml | 6 +- .../defense_evasion_event_hub_deletion.toml | 4 +- ...ense_evasion_firewall_policy_deletion.toml | 11 +- ...on_frontdoor_firewall_policy_deletion.toml | 11 +- ...nse_evasion_kubernetes_events_deleted.toml | 4 +- ...ense_evasion_network_watcher_deletion.toml | 11 +- ...ense_evasion_suppression_rule_created.toml | 4 +- .../discovery_blob_container_access_mod.toml | 4 +- .../execution_command_virtual_machine.toml | 4 +- ...e_service_principal_credentials_added.toml | 4 +- .../azure/impact_kubernetes_pod_deleted.toml | 4 +- .../azure/impact_resource_group_deletion.toml | 4 +- ...mpact_virtual_network_device_modified.toml | 4 +- ...ure_active_directory_high_risk_signin.toml | 6 +- ..._high_risk_signin_atrisk_or_confirmed.toml | 6 +- ...re_active_directory_powershell_signin.toml | 6 +- ...tack_via_azure_registered_application.toml | 6 +- ...ial_access_external_guest_user_invite.toml | 4 +- ...ence_azure_automation_account_created.toml | 4 +- ...utomation_runbook_created_or_modified.toml | 4 +- ...ence_azure_automation_webhook_created.toml | 4 +- ...re_conditional_access_policy_modified.toml | 4 +- ...re_global_administrator_role_assigned.toml | 4 +- ...nce_azure_pim_user_added_global_admin.toml | 4 +- ...ged_identity_management_role_modified.toml | 6 +- ...rsistence_mfa_disabled_for_azure_user.toml | 6 +- ..._added_as_owner_for_azure_application.toml | 4 +- ..._as_owner_for_azure_service_principal.toml | 4 +- ..._azure_kubernetes_rolebinding_created.toml | 11 +- .../container_workload_protection.toml | 9 +- ...s_aws_creds_search_inside_a_container.toml | 52 +- ..._files_compression_inside_a_container.toml | 14 +- ...r_passwords_search_inside_a_container.toml | 52 +- ...ed_object_modified_inside_a_container.toml | 18 +- ...work_tool_launched_inside_a_container.toml | 87 +- ...nt_binary_launched_inside_a_container.toml | 51 +- ...ecutable_via_chmod_inside_a_container.toml | 66 +- ...ecution_interactive_exec_to_container.toml | 54 +- ...shell_spawned_from_inside_a_container.toml | 55 +- ...stener_established_inside_a_container.toml | 59 +- ...ection_established_inside_a_container.toml | 36 +- ...h_process_launched_inside_a_container.toml | 35 +- ..._keys_modification_inside_a_container.toml | 48 +- ...e_via_modified_notify_on_release_file.toml | 4 +- ...scape_via_modified_release_agent_file.toml | 4 +- ...berarkpas_error_audit_event_promotion.toml | 11 +- ...commended_events_to_monitor_promotion.toml | 11 +- ...ytes_destination_geo_country_iso_code.toml | 18 +- ...ltration_ml_high_bytes_destination_ip.toml | 18 +- ...ration_ml_high_bytes_destination_port.toml | 18 +- ...ml_high_bytes_destination_region_name.toml | 18 +- ...high_bytes_written_to_external_device.toml | 18 +- ...es_written_to_external_device_airdrop.toml | 18 +- ...re_process_writing_to_external_device.toml | 18 +- ...ml_dga_activity_using_sunburst_domain.toml | 18 +- ...d_control_ml_dga_high_sum_probability.toml | 18 +- ...l_ml_dns_request_high_dga_probability.toml | 18 +- ..._request_predicted_to_be_a_dga_domain.toml | 18 +- .../endpoint/elastic_endpoint_security.toml | 4 +- ...ion_gcp_pub_sub_subscription_creation.toml | 12 +- ...collection_gcp_pub_sub_topic_creation.toml | 12 +- ...nse_evasion_gcp_firewall_rule_created.toml | 12 +- ...nse_evasion_gcp_firewall_rule_deleted.toml | 12 +- ...se_evasion_gcp_firewall_rule_modified.toml | 12 +- ...e_evasion_gcp_logging_bucket_deletion.toml | 12 +- ...nse_evasion_gcp_logging_sink_deletion.toml | 12 +- ...ion_gcp_pub_sub_subscription_deletion.toml | 12 +- ...se_evasion_gcp_pub_sub_topic_deletion.toml | 12 +- ...storage_bucket_configuration_modified.toml | 12 +- ...p_storage_bucket_permissions_modified.toml | 12 +- ...virtual_private_cloud_network_deleted.toml | 12 +- ...p_virtual_private_cloud_route_created.toml | 12 +- ...p_virtual_private_cloud_route_deleted.toml | 12 +- ...tration_gcp_logging_sink_modification.toml | 12 +- .../gcp/impact_gcp_iam_role_deletion.toml | 12 +- .../impact_gcp_service_account_deleted.toml | 12 +- .../impact_gcp_service_account_disabled.toml | 12 +- .../impact_gcp_storage_bucket_deleted.toml | 4 +- ...l_access_gcp_iam_custom_role_creation.toml | 12 +- ..._gcp_iam_service_account_key_deletion.toml | 12 +- ...e_gcp_key_created_for_service_account.toml | 12 +- ...rsistence_gcp_service_account_created.toml | 12 +- ...hub_protected_branch_settings_changed.toml | 17 +- .../github/execution_github_app_deleted.toml | 16 +- ..._high_number_of_cloned_repos_from_pat.toml | 24 +- ...multiple_behavior_alerts_from_account.toml | 30 +- .../execution_new_github_app_installed.toml | 17 +- .../impact_github_repository_deleted.toml | 31 +- .../persistence_github_org_owner_added.toml | 26 +- ...tence_organization_owner_role_granted.toml | 26 +- ...ship_transferred_via_google_workspace.toml | 11 +- ...ustom_gmail_route_created_or_modified.toml | 11 +- ...yption_key_accessed_by_anonymous_user.toml | 4 +- ...ed_from_blocklist_in_google_workspace.toml | 6 +- ...d_to_google_workspace_trusted_domains.toml | 6 +- ..._workspace_bitlocker_setting_disabled.toml | 6 +- ...th_login_from_third_party_application.toml | 17 +- ..._marketplace_changed_to_allow_any_app.toml | 6 +- ...ogle_workspace_alert_center_promotion.toml | 19 +- ..._google_workspace_admin_role_deletion.toml | 6 +- ...le_workspace_mfa_enforcement_disabled.toml | 4 +- ..._user_added_to_google_workspace_group.toml | 4 +- ..._access_granted_to_custom_application.toml | 11 +- ...ogle_workspace_suspended_user_renewed.toml | 11 +- ...tion_added_to_google_workspace_domain.toml | 6 +- ..._google_workspace_2sv_policy_disabled.toml | 6 +- ...workspace_admin_role_assigned_to_user.toml | 6 +- ...a_domain_wide_delegation_of_authority.toml | 12 +- ...e_workspace_custom_admin_role_created.toml | 12 +- ...le_workspace_password_policy_modified.toml | 6 +- ...stence_google_workspace_role_modified.toml | 12 +- ...pace_user_organizational_unit_changed.toml | 6 +- ...led_for_google_workspace_organization.toml | 6 +- ...covery_denied_service_account_request.toml | 4 +- ...covery_suspicious_self_subject_review.toml | 4 +- .../execution_user_exec_to_pod.toml | 4 +- ...l_access_anonymous_request_authorized.toml | 5 +- ...ed_service_created_with_type_nodeport.toml | 4 +- ...ted_with_excessive_linux_capabilities.toml | 4 +- ...e_escalation_pod_created_with_hostipc.toml | 4 +- ...calation_pod_created_with_hostnetwork.toml | 4 +- ...e_escalation_pod_created_with_hostpid.toml | 4 +- ...reated_with_sensitive_hostpath_volume.toml | 4 +- ...ege_escalation_privileged_pod_created.toml | 4 +- ...ignment_of_controller_service_account.toml | 4 +- ...ovement_ml_high_mean_rdp_process_args.toml | 20 +- ...ent_ml_high_mean_rdp_session_duration.toml | 20 +- ...ral_movement_ml_high_remote_file_size.toml | 20 +- ...ml_high_variance_rdp_session_duration.toml | 20 +- ...ovement_ml_rare_remote_file_directory.toml | 20 +- ...ovement_ml_rare_remote_file_extension.toml | 20 +- ...spike_in_connections_from_a_source_ip.toml | 20 +- ...ke_in_connections_to_a_destination_ip.toml | 20 +- ...al_movement_ml_spike_in_rdp_processes.toml | 20 +- ...ent_ml_spike_in_remote_file_transfers.toml | 20 +- ...nt_ml_unusual_time_for_an_rdp_session.toml | 20 +- ...llection_microsoft_365_new_inbox_rule.toml | 4 +- ..._365_brute_force_user_account_attempt.toml | 13 +- ...65_potential_password_spraying_attack.toml | 13 +- ...ccess_user_excessive_sso_logon_errors.toml | 13 +- ...osoft_365_exchange_dlp_policy_removed.toml | 11 +- ...change_malware_filter_policy_deletion.toml | 11 +- ..._365_exchange_malware_filter_rule_mod.toml | 11 +- ...65_exchange_safe_attach_rule_disabled.toml | 11 +- ...oft_365_mailboxauditbypassassociation.toml | 4 +- ..._365_exchange_transport_rule_creation.toml | 4 +- ...osoft_365_exchange_transport_rule_mod.toml | 4 +- ...oft_365_potential_ransomware_activity.toml | 4 +- ...t_365_unusual_volume_of_file_deletion.toml | 4 +- ...ss_microsoft_365_abnormal_clientappid.toml | 20 +- ...5_exchange_anti_phish_policy_deletion.toml | 11 +- ...soft_365_exchange_anti_phish_rule_mod.toml | 11 +- ...osoft_365_exchange_safelinks_disabled.toml | 11 +- ...65_user_restricted_from_sending_email.toml | 11 +- ...cess_o365_user_reported_phish_malware.toml | 4 +- ...al_movement_malware_uploaded_onedrive.toml | 4 +- ..._movement_malware_uploaded_sharepoint.toml | 4 +- ...e_suspicious_mailbox_right_delegation.toml | 4 +- ...exchange_dkim_signing_config_disabled.toml | 4 +- ...5_exchange_management_role_assignment.toml | 11 +- ..._365_global_administrator_role_assign.toml | 11 +- ..._teams_custom_app_interaction_allowed.toml | 11 +- ...oft_365_teams_external_access_enabled.toml | 4 +- ...rosoft_365_teams_guest_access_enabled.toml | 4 +- ...ion_new_or_modified_federation_domain.toml | 11 +- ...se_evasion_ml_rare_process_for_a_host.toml | 18 +- ..._ml_rare_process_for_a_parent_process.toml | 18 +- ...se_evasion_ml_rare_process_for_a_user.toml | 18 +- ...e_evasion_ml_suspicious_windows_event.toml | 18 +- ...icious_windows_event_high_probability.toml | 18 +- ...ous_windows_process_cluster_from_host.toml | 18 +- ...s_process_cluster_from_parent_process.toml | 18 +- ...ous_windows_process_cluster_from_user.toml | 18 +- ...mand_and_control_cat_network_activity.toml | 30 +- ..._control_linux_chisel_client_activity.toml | 36 +- ..._control_linux_chisel_server_activity.toml | 36 +- ...mand_and_control_linux_kworker_netcon.toml | 82 +- ...nd_control_linux_proxychains_activity.toml | 32 +- ...linux_suspicious_proxychains_activity.toml | 31 +- ...l_linux_tunneling_and_port_forwarding.toml | 35 +- ...work_activity_from_unknown_executable.toml | 25 +- ...d_and_control_tunneling_via_earthworm.toml | 19 +- ...ial_access_collection_sensitive_files.toml | 33 +- .../credential_access_credential_dumping.toml | 40 +- ...ntial_access_gdb_init_process_hooking.toml | 32 +- ...credential_access_gdb_process_hooking.toml | 34 +- ...ential_linux_local_account_bruteforce.toml | 27 +- ...tential_linux_ssh_bruteforce_external.toml | 15 +- ...tential_linux_ssh_bruteforce_internal.toml | 15 +- ...ntial_successful_linux_ftp_bruteforce.toml | 33 +- ...ntial_successful_linux_rdp_bruteforce.toml | 31 +- ...ntial_successful_linux_ssh_bruteforce.toml | 24 +- ...ential_access_proc_credential_dumping.toml | 33 +- .../credential_access_ssh_backdoor_log.toml | 14 +- ...tempt_to_disable_iptables_or_firewall.toml | 32 +- ...ion_attempt_to_disable_syslog_service.toml | 13 +- ..._base32_encoding_or_decoding_activity.toml | 25 +- ...binary_copied_to_suspicious_directory.toml | 43 +- ...defense_evasion_chattr_immutable_file.toml | 23 +- ...ense_evasion_clear_kernel_ring_buffer.toml | 53 +- ...ense_evasion_disable_apparmor_attempt.toml | 29 +- ...fense_evasion_disable_selinux_attempt.toml | 27 +- ...asion_esxi_suspicious_timestomp_touch.toml | 37 +- ...fense_evasion_file_deletion_via_shred.toml | 24 +- ...defense_evasion_file_mod_writable_dir.toml | 23 +- .../defense_evasion_hidden_file_dir_tmp.toml | 22 +- .../defense_evasion_hidden_shared_object.toml | 25 +- ...defense_evasion_kernel_module_removal.toml | 29 +- ...defense_evasion_kthreadd_masquerading.toml | 47 +- .../defense_evasion_log_files_deleted.toml | 24 +- .../defense_evasion_mount_execution.toml | 43 +- ...ense_evasion_potential_proot_exploits.toml | 46 +- .../defense_evasion_rename_esxi_files.toml | 16 +- ...efense_evasion_rename_esxi_index_file.toml | 20 +- ...s_utility_executed_via_tmux_or_screen.toml | 27 +- .../discovery_dynamic_linker_via_od.toml | 25 +- .../discovery_esxi_software_via_find.toml | 29 +- .../discovery_esxi_software_via_grep.toml | 31 +- .../discovery_kernel_module_enumeration.toml | 25 +- .../linux/discovery_linux_hping_activity.toml | 25 +- .../linux/discovery_linux_nping_activity.toml | 25 +- .../linux/discovery_ping_sweep_detected.toml | 33 +- rules/linux/discovery_proc_maps_read.toml | 21 +- ...very_pspy_process_monitoring_detected.toml | 27 +- ...very_sudo_allowed_command_enumeration.toml | 27 +- .../discovery_suid_sguid_enumeration.toml | 32 +- ...ry_suspicious_which_command_execution.toml | 31 +- ...overy_unusual_user_enumeration_via_id.toml | 19 +- ...covery_virtual_machine_fingerprinting.toml | 13 +- ...tion_abnormal_process_id_file_created.toml | 28 +- ...ion_curl_cve_2023_38545_heap_overflow.toml | 35 +- ...n_file_execution_followed_by_deletion.toml | 21 +- ...er_or_listener_established_via_netcat.toml | 13 +- .../execution_interpreter_tty_upgrade.toml | 30 +- .../execution_nc_listener_via_rlwrap.toml | 28 +- ...ion_netcon_from_rwx_mem_region_binary.toml | 58 +- ...cution_network_event_post_compilation.toml | 50 +- rules/linux/execution_perl_tty_shell.toml | 13 +- ...xecution_potential_hack_tool_executed.toml | 27 +- ..._process_started_from_process_id_file.toml | 26 +- ...ss_started_in_shared_memory_directory.toml | 23 +- rules/linux/execution_python_tty_shell.toml | 26 +- ..._remote_code_execution_via_postgresql.toml | 35 +- .../execution_shell_evasion_linux_binary.toml | 24 +- ...xecution_shell_via_background_process.toml | 54 +- ...ion_shell_via_child_tcp_utility_linux.toml | 48 +- ...ecution_shell_via_java_revshell_linux.toml | 48 +- ...on_shell_via_lolbin_interpreter_linux.toml | 52 +- ...execution_shell_via_meterpreter_linux.toml | 50 +- ...execution_shell_via_suspicious_binary.toml | 50 +- ...ution_shell_via_tcp_cli_utility_linux.toml | 48 +- ...ution_shell_via_udp_cli_utility_linux.toml | 44 +- ...traction_or_decrompression_via_funzip.toml | 51 +- ...us_executable_running_system_commands.toml | 41 +- ...icious_mining_process_creation_events.toml | 43 +- rules/linux/execution_tc_bpf_filter.toml | 28 +- ...nknown_rwx_mem_region_binary_executed.toml | 41 +- .../impact_data_encrypted_via_openssl.toml | 29 +- rules/linux/impact_esxi_process_kill.toml | 31 +- ...tial_linux_ransomware_file_encryption.toml | 29 +- ...ential_linux_ransomware_note_detected.toml | 27 +- .../linux/impact_process_kill_threshold.toml | 32 +- ...lateral_movement_ssh_it_worm_download.toml | 33 +- ...ment_telnet_network_activity_external.toml | 21 +- ...ment_telnet_network_activity_internal.toml | 21 +- ...istence_apt_package_manager_execution.toml | 41 +- ...ersistence_apt_package_manager_netcon.toml | 33 +- .../persistence_chkconfig_service_add.toml | 54 +- ...credential_access_modify_ssh_binaries.toml | 38 +- .../linux/persistence_cron_job_creation.toml | 92 +- .../persistence_dynamic_linker_backup.toml | 75 +- .../linux/persistence_etc_file_creation.toml | 133 +- .../persistence_init_d_file_creation.toml | 57 +- ...persistence_insmod_kernel_module_load.toml | 32 +- ...ersistence_kde_autostart_modification.toml | 105 +- .../linux/persistence_kernel_driver_load.toml | 40 +- ...stence_kernel_driver_load_by_non_root.toml | 37 +- .../persistence_kworker_file_creation.toml | 59 +- ...sistence_linux_backdoor_user_creation.toml | 37 +- .../persistence_linux_group_creation.toml | 24 +- ...e_linux_shell_activity_via_web_server.toml | 39 +- ...rsistence_linux_user_account_creation.toml | 24 +- ..._linux_user_added_to_privileged_group.toml | 32 +- ...rsistence_message_of_the_day_creation.toml | 51 +- ...sistence_message_of_the_day_execution.toml | 60 +- .../linux/persistence_rc_script_creation.toml | 51 +- ...sistence_setuid_setgid_capability_set.toml | 27 +- .../persistence_shared_object_creation.toml | 41 +- ...ence_shell_configuration_modification.toml | 31 +- ...suspicious_file_opened_through_editor.toml | 82 +- ...e_suspicious_ssh_execution_xzbackdoor.toml | 38 +- rules/linux/persistence_systemd_netcon.toml | 31 +- ...tence_systemd_scheduled_timer_created.toml | 75 +- .../persistence_systemd_service_creation.toml | 77 +- ...ersistence_tainted_kernel_module_load.toml | 32 +- ...ainted_kernel_module_out_of_tree_load.toml | 30 +- .../linux/persistence_udev_rule_creation.toml | 27 +- ...on_chown_chmod_unauthorized_file_read.toml | 34 +- ...ation_container_util_misconfiguration.toml | 32 +- ..._docker_mount_chroot_container_escape.toml | 29 +- ...lege_escalation_kworker_uid_elevation.toml | 36 +- ...lation_ld_preload_shared_object_modif.toml | 27 +- ...lation_linux_suspicious_symbolic_link.toml | 30 +- ...lege_escalation_linux_uid_int_max_bug.toml | 34 +- ...n_load_and_unload_of_kernel_via_kexec.toml | 53 +- ...alation_looney_tunables_cve_2023_4911.toml | 27 +- ...ege_escalation_netcon_via_sudo_binary.toml | 31 +- ...ge_escalation_overlayfs_local_privesc.toml | 23 +- ...vilege_escalation_pkexec_envar_hijack.toml | 14 +- ...ation_potential_bufferoverflow_attack.toml | 27 +- ...lation_potential_wildcard_shell_spawn.toml | 21 +- ...ge_escalation_sda_disk_mount_non_root.toml | 32 +- ...privilege_escalation_shadow_file_read.toml | 31 +- ...vilege_escalation_sudo_cve_2019_14287.toml | 31 +- .../privilege_escalation_sudo_hijacking.toml | 24 +- ...tion_sudo_token_via_process_injection.toml | 29 +- ...uspicious_cap_setuid_python_execution.toml | 26 +- ...calation_suspicious_passwd_file_write.toml | 23 +- ...scalation_uid_change_post_compilation.toml | 22 +- ...uid_elevation_from_unknown_executable.toml | 37 +- ...lation_unshare_namespace_manipulation.toml | 23 +- ...ege_escalation_writable_docker_socket.toml | 27 +- ...edential_access_credentials_keychains.toml | 12 +- ...dential_access_dumping_hashes_bi_cmds.toml | 12 +- ...tial_access_dumping_keychain_security.toml | 18 +- .../credential_access_kerberosdump_kcc.toml | 12 +- ...s_keychain_pwd_retrieval_security_cmd.toml | 12 +- ...ential_access_mitm_localhost_webproxy.toml | 12 +- ...access_potential_macos_ssh_bruteforce.toml | 14 +- ...al_access_promt_for_pwd_via_osascript.toml | 12 +- .../credential_access_systemkey_dumping.toml | 12 +- ...vasion_apple_softupdates_modification.toml | 12 +- ...evasion_attempt_del_quarantine_attrib.toml | 18 +- ...evasion_attempt_to_disable_gatekeeper.toml | 12 +- ...ense_evasion_install_root_certificate.toml | 12 +- ...cy_controls_tcc_database_modification.toml | 12 +- ...tion_privacy_pref_sshd_fulldiskaccess.toml | 13 +- .../defense_evasion_safari_config_change.toml | 12 +- ...dboxed_office_app_suspicious_zip_file.toml | 12 +- ...vasion_tcc_bypass_mounted_apfs_access.toml | 13 +- ..._evasion_unload_endpointsecurity_kext.toml | 12 +- ...covery_users_domain_built_in_commands.toml | 15 +- ...vasion_electron_app_childproc_node_js.toml | 13 +- ...l_access_suspicious_browser_childproc.toml | 13 +- ...staller_package_spawned_network_event.toml | 13 +- ...cution_script_via_automator_workflows.toml | 12 +- ...ing_osascript_exec_followed_by_netcon.toml | 13 +- ...n_shell_execution_via_apple_scripting.toml | 12 +- ...ential_access_kerberos_bifrostconsole.toml | 13 +- .../lateral_movement_mounting_smb_share.toml | 12 +- ...ral_movement_remote_ssh_login_enabled.toml | 12 +- ...teral_movement_vpn_connection_attempt.toml | 12 +- ...stence_account_creation_hide_at_logon.toml | 12 +- ...ce_creation_change_launch_agents_file.toml | 12 +- ..._creation_hidden_login_item_osascript.toml | 13 +- ...creation_modif_launch_deamon_sequence.toml | 12 +- ..._access_authorization_plugin_creation.toml | 12 +- rules/macos/persistence_crontab_creation.toml | 12 +- ...launch_agent_deamon_logonitem_process.toml | 13 +- ...rectory_services_plugins_modification.toml | 12 +- ...e_docker_shortcuts_plist_modification.toml | 12 +- ...persistence_emond_rules_file_creation.toml | 12 +- ...istence_emond_rules_process_execution.toml | 12 +- .../persistence_enable_root_account.toml | 12 +- ...n_hidden_launch_agent_deamon_creation.toml | 13 +- ...istence_folder_action_scripts_runtime.toml | 13 +- ...rsistence_login_logout_hooks_defaults.toml | 12 +- ...stence_loginwindow_plist_modification.toml | 12 +- ...fication_sublime_app_plugin_or_script.toml | 12 +- ...ersistence_periodic_tasks_file_mdofiy.toml | 12 +- ...saver_engine_unexpected_child_process.toml | 12 +- ...e_screensaver_plist_file_modification.toml | 12 +- ...ence_suspicious_calendar_modification.toml | 12 +- ...tence_via_atom_init_file_modification.toml | 12 +- ...calation_explicit_creds_via_scripting.toml | 13 +- ...alation_exploit_adobe_acrobat_updater.toml | 6 +- ...ilege_escalation_root_crontab_filemod.toml | 12 +- ...d_control_ml_packetbeat_dns_tunneling.toml | 13 +- ...ntrol_ml_packetbeat_rare_dns_question.toml | 23 +- ...d_and_control_ml_packetbeat_rare_urls.toml | 21 +- ...control_ml_packetbeat_rare_user_agent.toml | 21 +- ..._ml_auth_spike_in_failed_logon_events.toml | 17 +- ..._access_ml_auth_spike_in_logon_events.toml | 16 +- ...pike_in_logon_events_from_a_source_ip.toml | 22 +- ...s_ml_linux_anomalous_metadata_process.toml | 22 +- ...cess_ml_linux_anomalous_metadata_user.toml | 23 +- ...l_access_ml_suspicious_login_activity.toml | 13 +- ...ml_windows_anomalous_metadata_process.toml | 26 +- ...ss_ml_windows_anomalous_metadata_user.toml | 26 +- ...ml_linux_system_information_discovery.toml | 13 +- ...ystem_network_configuration_discovery.toml | 13 +- ...x_system_network_connection_discovery.toml | 13 +- ...ery_ml_linux_system_process_discovery.toml | 13 +- ...covery_ml_linux_system_user_discovery.toml | 13 +- ...execution_ml_windows_anomalous_script.toml | 29 +- ...ml_auth_rare_hour_for_a_user_to_logon.toml | 15 +- ...ess_ml_auth_rare_source_ip_for_a_user.toml | 14 +- ...nitial_access_ml_auth_rare_user_logon.toml | 22 +- ...l_access_ml_linux_anomalous_user_name.toml | 14 +- ...access_ml_windows_anomalous_user_name.toml | 17 +- ...windows_rare_user_type10_remote_login.toml | 17 +- rules/ml/ml_high_count_network_denies.toml | 23 +- rules/ml/ml_high_count_network_events.toml | 22 +- .../ml_linux_anomalous_network_activity.toml | 12 +- ...linux_anomalous_network_port_activity.toml | 12 +- .../ml/ml_packetbeat_rare_server_domain.toml | 6 +- rules/ml/ml_rare_destination_country.toml | 31 +- .../ml/ml_spike_in_traffic_to_a_country.toml | 15 +- ...ml_windows_anomalous_network_activity.toml | 12 +- ..._ml_linux_anomalous_process_all_hosts.toml | 25 +- ...istence_ml_rare_process_by_host_linux.toml | 26 +- ...tence_ml_rare_process_by_host_windows.toml | 57 +- ...ce_ml_windows_anomalous_path_activity.toml | 33 +- ...l_windows_anomalous_process_all_hosts.toml | 14 +- ...ml_windows_anomalous_process_creation.toml | 14 +- ...sistence_ml_windows_anomalous_service.toml | 24 +- ...tion_ml_linux_anomalous_sudo_activity.toml | 13 +- ...tion_ml_windows_rare_user_runas_event.toml | 18 +- ..._ml_linux_anomalous_compiler_activity.toml | 26 +- ...cepted_default_telnet_port_connection.toml | 4 +- ...mand_and_control_cobalt_strike_beacon.toml | 4 +- ...cobalt_strike_default_teamserver_cert.toml | 4 +- ...download_rar_powershell_from_internet.toml | 4 +- .../command_and_control_fin7_c2_behavior.toml | 4 +- .../command_and_control_halfbaked_beacon.toml | 4 +- ...d_control_nat_traversal_port_activity.toml | 4 +- .../command_and_control_port_26_activity.toml | 4 +- ...te_desktop_protocol_from_the_internet.toml | 4 +- ...l_network_computing_from_the_internet.toml | 4 +- ...ual_network_computing_to_the_internet.toml | 4 +- ...very_potential_network_sweep_detected.toml | 43 +- ...iscovery_potential_port_scan_detected.toml | 40 +- ...very_potential_syn_port_scan_detected.toml | 42 +- ...mote_procedure_call_from_the_internet.toml | 4 +- ...remote_procedure_call_to_the_internet.toml | 5 +- ...file_sharing_activity_to_the_internet.toml | 5 +- ...al_access_unsecure_elasticsearch_node.toml | 4 +- .../lateral_movement_dns_server_overflow.toml | 4 +- ..._access_endgame_cred_dumping_detected.toml | 20 +- ...access_endgame_cred_dumping_prevented.toml | 21 +- .../endgame_adversary_behavior_detected.toml | 10 +- .../promotions/endgame_malware_detected.toml | 6 +- .../promotions/endgame_malware_prevented.toml | 6 +- .../endgame_ransomware_detected.toml | 6 +- .../endgame_ransomware_prevented.toml | 6 +- .../execution_endgame_exploit_detected.toml | 19 +- .../execution_endgame_exploit_prevented.toml | 19 +- rules/promotions/external_alerts.toml | 22 +- ...on_endgame_cred_manipulation_detected.toml | 13 +- ...n_endgame_cred_manipulation_prevented.toml | 13 +- ...ion_endgame_permission_theft_detected.toml | 13 +- ...on_endgame_permission_theft_prevented.toml | 15 +- ...on_endgame_process_injection_detected.toml | 15 +- ...n_endgame_process_injection_prevented.toml | 13 +- ...lection_email_outlook_mailbox_via_com.toml | 24 +- ...ion_email_powershell_exchange_mailbox.toml | 26 +- .../collection_posh_audio_capture.toml | 13 +- rules/windows/collection_posh_keylogger.toml | 13 +- rules/windows/collection_posh_mailbox.toml | 13 +- .../collection_posh_screen_grabber.toml | 13 +- .../collection_posh_webcam_video_capture.toml | 16 +- .../windows/collection_winrar_encryption.toml | 24 +- .../command_and_control_certreq_postdata.toml | 31 +- ...ommand_and_control_common_webservices.toml | 4 +- ...nd_and_control_dns_tunneling_nslookup.toml | 16 +- ...control_encrypted_channel_freesslcert.toml | 13 +- .../command_and_control_headless_browser.toml | 25 +- .../command_and_control_iexplore_via_com.toml | 12 +- ...and_and_control_ingress_transfer_bits.toml | 19 +- ...w_terms_commonly_abused_rat_execution.toml | 27 +- ...ontrol_port_forwarding_added_registry.toml | 16 +- .../command_and_control_rdp_tunnel_plink.toml | 17 +- ...ol_remote_file_copy_desktopimgdownldr.toml | 4 +- ...and_control_remote_file_copy_mpcmdrun.toml | 4 +- ...d_control_remote_file_copy_powershell.toml | 4 +- ..._and_control_remote_file_copy_scripts.toml | 23 +- ...d_and_control_screenconnect_childproc.toml | 24 +- ...control_sunburst_c2_activity_detected.toml | 13 +- ...d_control_teamviewer_remote_file_copy.toml | 10 +- .../credential_access_adidns_wildcard.toml | 12 +- ...ntial_access_bruteforce_admin_account.toml | 12 +- ...ple_logon_failure_followed_by_success.toml | 12 +- ...rce_multiple_logon_failure_same_srcip.toml | 21 +- .../credential_access_cmdline_dump_tool.toml | 15 +- ...ess_copy_ntds_sam_volshadowcp_cmdline.toml | 22 +- ...ial_access_credential_dumping_msbuild.toml | 26 +- ...ial_access_dcsync_newterm_subjectuser.toml | 39 +- ...tial_access_dcsync_replication_rights.toml | 9 +- ...ntial_access_disable_kerberos_preauth.toml | 22 +- .../credential_access_dnsnode_creation.toml | 9 +- ...cess_domain_backup_dpapi_private_keys.toml | 23 +- ...credential_access_dump_registry_hives.toml | 14 +- .../credential_access_generic_localdumps.toml | 14 +- ...ntial_access_iis_apppoolsa_pwd_appcmd.toml | 21 +- ..._access_iis_connectionstrings_dumping.toml | 21 +- ..._access_kerberoasting_unusual_process.toml | 13 +- .../windows/credential_access_kirbi_file.toml | 21 +- .../credential_access_ldap_attributes.toml | 17 +- ...l_access_lsass_handle_via_malseclogon.toml | 12 +- ...edential_access_lsass_loaded_susp_dll.toml | 20 +- ...ial_access_lsass_memdump_file_created.toml | 6 +- ...al_access_lsass_memdump_handle_access.toml | 13 +- ...edential_access_lsass_openprocess_api.toml | 24 +- ...l_access_mimikatz_memssp_default_logs.toml | 14 +- ...ial_access_mimikatz_powershell_module.toml | 13 +- ..._access_mod_wdigest_security_provider.toml | 6 +- ...l_access_moving_registry_hive_via_smb.toml | 6 +- ...e_network_logon_provider_modification.toml | 16 +- ...edential_access_posh_invoke_ninjacopy.toml | 45 +- ...edential_access_posh_kerb_ticket_dump.toml | 17 +- .../credential_access_posh_minidump.toml | 13 +- .../credential_access_posh_relay_tools.toml | 18 +- ...credential_access_posh_request_ticket.toml | 13 +- .../credential_access_posh_veeam_sql.toml | 18 +- ..._potential_lsa_memdump_via_mirrordump.toml | 12 +- ...cess_relay_ntlm_auth_via_http_spoolss.toml | 25 +- ...dential_access_remote_sam_secretsdump.toml | 6 +- ...ntial_access_saved_creds_vault_winlog.toml | 4 +- ...redential_access_saved_creds_vaultcmd.toml | 21 +- ...edelegationprivilege_assigned_to_user.toml | 10 +- .../credential_access_shadow_credentials.toml | 14 +- ...dential_access_spn_attribute_modified.toml | 6 +- ...l_access_suspicious_comsvcs_imageload.toml | 15 +- ...ccess_suspicious_lsass_access_generic.toml | 17 +- ...ccess_suspicious_lsass_access_memdump.toml | 15 +- ..._suspicious_lsass_access_via_snapshot.toml | 12 +- ...cious_winreg_access_via_sebackup_priv.toml | 16 +- ..._symbolic_link_to_shadow_copy_created.toml | 15 +- ...ial_access_veeam_backup_dll_imageload.toml | 14 +- .../credential_access_veeam_commands.toml | 28 +- ...ess_via_snapshot_lsass_clone_creation.toml | 12 +- ...dential_access_wireless_creds_dumping.toml | 14 +- ...den_file_attribute_with_via_attribexe.toml | 43 +- ...defense_evasion_amsi_bypass_dllhijack.toml | 14 +- ...efense_evasion_amsi_bypass_powershell.toml | 13 +- .../defense_evasion_amsienable_key_mod.toml | 15 +- ...sion_clearing_windows_console_history.toml | 16 +- ...e_evasion_clearing_windows_event_logs.toml | 15 +- ...vasion_clearing_windows_security_logs.toml | 12 +- ...ing_policy_modification_builtin_tools.toml | 31 +- ..._signing_policy_modification_registry.toml | 29 +- ...e_evasion_create_mod_root_certificate.toml | 6 +- .../defense_evasion_cve_2020_0601.toml | 12 +- ...vasion_defender_disabled_via_registry.toml | 15 +- ...ion_defender_exclusion_via_powershell.toml | 14 +- ...delete_volume_usn_journal_with_fsutil.toml | 22 +- .../windows/defense_evasion_disable_nla.toml | 22 +- ...asion_disable_posh_scriptblocklogging.toml | 15 +- ...ble_windows_firewall_rules_with_netsh.toml | 14 +- ...disabling_windows_defender_powershell.toml | 15 +- ...efense_evasion_disabling_windows_logs.toml | 15 +- ...efense_evasion_dns_over_https_enabled.toml | 24 +- ...vasion_dotnet_compiler_parent_process.toml | 28 +- ...evasion_enable_inbound_rdp_with_netsh.toml | 14 +- ...n_enable_network_discovery_with_netsh.toml | 14 +- ...ecution_control_panel_suspicious_args.toml | 29 +- ...ense_evasion_execution_lolbas_wuauclt.toml | 30 +- ...ecution_msbuild_started_by_office_app.toml | 14 +- ...n_execution_msbuild_started_by_script.toml | 30 +- ...ion_msbuild_started_by_system_process.toml | 29 +- ...ion_execution_msbuild_started_renamed.toml | 7 +- ...cution_msbuild_started_unusal_process.toml | 27 +- ...execution_suspicious_explorer_winword.toml | 23 +- ...sion_execution_windefend_unusual_path.toml | 23 +- ..._evasion_file_creation_mult_extension.toml | 14 +- ...efense_evasion_from_unusual_directory.toml | 22 +- ...sion_hide_encoded_executable_registry.toml | 22 +- ...ense_evasion_iis_httplogging_disabled.toml | 22 +- .../defense_evasion_injection_msbuild.toml | 14 +- .../defense_evasion_installutil_beacon.toml | 20 +- ...querading_as_elastic_endpoint_process.toml | 24 +- ..._masquerading_business_apps_installer.toml | 18 +- ...asion_masquerading_communication_apps.toml | 17 +- ...e_evasion_masquerading_renamed_autoit.toml | 6 +- ...erading_suspicious_werfault_childproc.toml | 29 +- ...vasion_masquerading_trusted_directory.toml | 21 +- ...defense_evasion_masquerading_werfault.toml | 23 +- ..._evasion_microsoft_defender_tampering.toml | 23 +- ...isc_lolbin_connecting_to_the_internet.toml | 22 +- ...e_evasion_ms_office_suspicious_regmod.toml | 6 +- ...on_msbuild_making_network_connections.toml | 22 +- .../windows/defense_evasion_mshta_beacon.toml | 20 +- .../defense_evasion_msxsl_network.toml | 20 +- ...etwork_connection_from_windows_binary.toml | 39 +- ...e_evasion_parent_process_pid_spoofing.toml | 15 +- ...persistence_account_tokenfilterpolicy.toml | 16 +- .../defense_evasion_posh_encryption.toml | 13 +- ...efense_evasion_posh_process_injection.toml | 15 +- ..._powershell_windows_firewall_disabled.toml | 7 +- ...cess_termination_followed_by_deletion.toml | 17 +- ...ense_evasion_proxy_execution_via_msdt.toml | 13 +- ...defense_evasion_root_dir_ads_creation.toml | 24 +- ...defense_evasion_rundll32_no_arguments.toml | 14 +- ...fense_evasion_sccm_scnotification_dll.toml | 14 +- ...ion_scheduledjobs_at_protocol_enabled.toml | 21 +- ..._evasion_sdelete_like_filename_rename.toml | 18 +- .../defense_evasion_sip_provider_mod.toml | 14 +- ...ackdoor_service_disabled_via_registry.toml | 24 +- ..._evasion_suspicious_certutil_commands.toml | 23 +- ...picious_execution_from_mounted_device.toml | 15 +- ...n_suspicious_managedcode_host_process.toml | 17 +- ...picious_process_access_direct_syscall.toml | 16 +- ...suspicious_process_creation_calltrace.toml | 13 +- ...efense_evasion_suspicious_scrobj_load.toml | 15 +- ...evasion_suspicious_short_program_name.toml | 20 +- ...defense_evasion_suspicious_wmi_script.toml | 24 +- ...evasion_suspicious_zoom_child_process.toml | 27 +- ..._critical_proc_abnormal_file_activity.toml | 7 +- .../defense_evasion_timestomp_sysmon.toml | 14 +- ...sion_unsigned_dll_loaded_from_suspdir.toml | 20 +- ...fense_evasion_untrusted_driver_loaded.toml | 32 +- ...nse_evasion_unusual_ads_file_creation.toml | 14 +- .../defense_evasion_unusual_dir_ads.toml | 14 +- ...nusual_network_connection_via_dllhost.toml | 20 +- ...usual_network_connection_via_rundll32.toml | 23 +- ...on_unusual_process_network_connection.toml | 21 +- ...asion_unusual_system_vp_child_program.toml | 21 +- .../defense_evasion_via_filter_manager.toml | 23 +- ...se_evasion_windows_filtering_platform.toml | 22 +- ...evasion_workfolders_control_execution.toml | 4 +- .../defense_evasion_wsl_bash_exec.toml | 40 +- .../defense_evasion_wsl_child_process.toml | 26 +- .../defense_evasion_wsl_enabled_via_dism.toml | 27 +- .../defense_evasion_wsl_filesystem.toml | 26 +- .../defense_evasion_wsl_kalilinux.toml | 26 +- ...nse_evasion_wsl_registry_modification.toml | 19 +- ...discovery_active_directory_webservice.toml | 20 +- .../discovery_adfind_command_activity.toml | 31 +- rules/windows/discovery_admin_recon.toml | 37 +- .../discovery_command_system_account.toml | 16 +- ...enumerating_domain_trusts_via_dsquery.toml | 32 +- ..._enumerating_domain_trusts_via_nltest.toml | 39 +- ...scovery_group_policy_object_discovery.toml | 31 +- .../discovery_high_number_ad_properties.toml | 7 +- .../windows/discovery_peripheral_device.toml | 22 +- .../discovery_posh_invoke_sharefinder.toml | 18 +- ...unusual_discovery_signal_proc_cmdline.toml | 22 +- ...sual_discovery_signal_proc_executable.toml | 22 +- .../discovery_whoami_command_activity.toml | 14 +- ...arwinds_backdoor_child_cmd_powershell.toml | 24 +- ...inds_backdoor_unusual_child_processes.toml | 13 +- .../windows/execution_com_object_xwizard.toml | 21 +- ...and_prompt_connecting_to_the_internet.toml | 22 +- ...tion_command_shell_started_by_svchost.toml | 4 +- ...mand_shell_started_by_unusual_process.toml | 23 +- .../execution_command_shell_via_rundll32.toml | 19 +- ...tion_delayed_via_ping_lolbas_unsigned.toml | 139 +- .../execution_downloaded_shortcut_files.toml | 12 +- .../execution_downloaded_url_file.toml | 13 +- .../execution_enumeration_via_wmiprvse.toml | 60 +- .../execution_from_unusual_path_cmdline.toml | 14 +- ...le_program_connecting_to_the_internet.toml | 22 +- ...execution_initial_access_via_msc_file.toml | 20 +- rules/windows/execution_mofcomp.toml | 17 +- .../execution_ms_office_written_file.toml | 28 +- rules/windows/execution_pdf_written_file.toml | 23 +- .../execution_posh_hacktool_authors.toml | 22 +- .../execution_posh_portable_executable.toml | 15 +- ...ution_psexec_lateral_movement_command.toml | 26 +- ...er_program_connecting_to_the_internet.toml | 24 +- ...tion_scheduled_task_powershell_source.toml | 33 +- ...xecution_shared_modules_local_sxs_dll.toml | 14 +- .../windows/execution_suspicious_cmd_wmi.toml | 25 +- ...n_suspicious_image_load_wmi_ms_office.toml | 14 +- .../execution_suspicious_pdf_reader.toml | 26 +- ...ecution_suspicious_powershell_imgload.toml | 27 +- .../execution_suspicious_psexesvc.toml | 31 +- .../execution_via_compiled_html_file.toml | 22 +- .../execution_via_hidden_shell_conhost.toml | 19 +- .../exfiltration_smb_rare_destination.toml | 24 +- .../windows/impact_backup_file_deletion.toml | 23 +- ...deleting_backup_catalogs_with_wbadmin.toml | 32 +- ...pact_high_freq_file_renames_by_kernel.toml | 19 +- .../impact_modification_of_boot_config.toml | 22 +- .../impact_ransomware_file_rename_smb.toml | 30 +- .../impact_ransomware_note_file_over_smb.toml | 25 +- ...impact_stop_process_service_threshold.toml | 24 +- ...copy_deletion_or_resized_via_vssadmin.toml | 23 +- ...e_shadow_copy_deletion_via_powershell.toml | 24 +- ..._volume_shadow_copy_deletion_via_wmic.toml | 27 +- ..._evasion_suspicious_htm_file_creation.toml | 12 +- ...itial_access_execution_from_inetcache.toml | 28 +- ...access_execution_from_removable_media.toml | 15 +- ...l_access_execution_remote_via_msiexec.toml | 22 +- ...al_access_execution_via_office_addins.toml | 32 +- ...cess_exfiltration_first_time_seen_usb.toml | 35 +- ...ial_access_exploit_jetbrains_teamcity.toml | 29 +- ...al_access_script_executing_powershell.toml | 19 +- ...ccess_scripts_process_started_via_wmi.toml | 34 +- ...l_access_suspicious_ms_exchange_files.toml | 18 +- ...access_suspicious_ms_exchange_process.toml | 24 +- ...ious_ms_exchange_worker_child_process.toml | 18 +- ...ss_suspicious_ms_office_child_process.toml | 26 +- ...s_suspicious_ms_outlook_child_process.toml | 29 +- ...explorer_suspicious_child_parent_args.toml | 20 +- ..._access_webshell_screenconnect_server.toml | 30 +- ...l_access_xsl_script_execution_via_com.toml | 18 +- .../lateral_movement_alternate_creds_pth.toml | 14 +- .../windows/lateral_movement_cmd_service.toml | 20 +- rules/windows/lateral_movement_dcom_hta.toml | 20 +- .../windows/lateral_movement_dcom_mmc20.toml | 24 +- ...t_dcom_shellwindow_shellbrowserwindow.toml | 20 +- ...n_lanman_nullsessionpipe_modification.toml | 17 +- ...vement_direct_outbound_smb_connection.toml | 13 +- ...ateral_movement_evasion_rdp_shadowing.toml | 25 +- ...movement_executable_tool_transfer_smb.toml | 13 +- ..._movement_execution_from_tsclient_mup.toml | 23 +- ...nt_execution_via_file_shares_sequence.toml | 18 +- ...vement_incoming_winrm_shell_execution.toml | 21 +- .../lateral_movement_incoming_wmi.toml | 22 +- ...ment_mount_hidden_or_webdav_share_net.toml | 26 +- ...l_movement_powershell_remoting_target.toml | 25 +- ...lateral_movement_rdp_enabled_registry.toml | 20 +- .../lateral_movement_rdp_sharprdp_target.toml | 12 +- ...ovement_remote_file_copy_hidden_share.toml | 21 +- ...ement_remote_service_installed_winlog.toml | 12 +- .../lateral_movement_remote_services.toml | 21 +- ..._movement_remote_task_creation_winlog.toml | 10 +- ...ateral_movement_scheduled_task_target.toml | 21 +- ...ement_suspicious_rdp_client_imageload.toml | 17 +- ...movement_unusual_dns_service_children.toml | 23 +- ...ement_unusual_dns_service_file_writes.toml | 15 +- ...l_movement_via_startup_folder_rdp_smb.toml | 16 +- .../windows/persistence_ad_adminsdholder.toml | 16 +- .../persistence_adobe_hijack_persistence.toml | 34 +- .../windows/persistence_app_compat_shim.toml | 13 +- .../persistence_appcertdlls_registry.toml | 25 +- .../persistence_appinitdlls_registry.toml | 4 +- ...persistence_browser_extension_install.toml | 15 +- .../persistence_dontexpirepasswd_account.toml | 6 +- ...evasion_hidden_local_account_creation.toml | 15 +- ...tence_evasion_registry_ifeo_injection.toml | 19 +- ...egistry_startup_shell_folder_modified.toml | 20 +- ...sistence_local_scheduled_job_creation.toml | 23 +- ...istence_local_scheduled_task_creation.toml | 13 +- ...stence_local_scheduled_task_scripting.toml | 24 +- .../persistence_ms_office_addins_file.toml | 17 +- .../persistence_ms_outlook_vba_template.toml | 14 +- ...istence_msds_alloweddelegateto_krbtgt.toml | 13 +- ...persistence_msoffice_startup_registry.toml | 20 +- .../windows/persistence_netsh_helper_dll.toml | 23 +- ...ll_exch_mailbox_activesync_add_device.toml | 23 +- .../persistence_powershell_profiles.toml | 17 +- ...escalation_via_accessibility_features.toml | 15 +- .../persistence_registry_uncommon.toml | 32 +- .../persistence_remote_password_reset.toml | 16 +- ...persistence_run_key_and_startup_broad.toml | 14 +- ...ce_runtime_run_key_startup_susp_procs.toml | 14 +- ...stence_scheduled_task_creation_winlog.toml | 4 +- .../persistence_scheduled_task_updated.toml | 5 +- ...istence_sdprop_exclusion_dsheuristics.toml | 10 +- .../persistence_service_dll_unsigned.toml | 19 +- ...stence_service_windows_service_winlog.toml | 21 +- .../persistence_services_registry.toml | 19 +- ...er_file_written_by_suspicious_process.toml | 15 +- ...lder_file_written_by_unsigned_process.toml | 18 +- .../persistence_startup_folder_scripts.toml | 15 +- ...stence_suspicious_com_hijack_registry.toml | 21 +- ...s_image_load_scheduled_task_ms_office.toml | 21 +- ...nce_suspicious_scheduled_task_runtime.toml | 15 +- ...e_suspicious_service_created_registry.toml | 19 +- ...istence_sysmon_wmi_event_subscription.toml | 27 +- ...ersistence_system_shells_via_services.toml | 28 +- .../persistence_temp_scheduled_task.toml | 16 +- .../persistence_time_provider_mod.toml | 17 +- ..._account_added_to_privileged_group_ad.toml | 14 +- .../persistence_user_account_creation.toml | 22 +- .../persistence_via_application_shimming.toml | 21 +- ...rsistence_via_bits_job_notify_command.toml | 23 +- ...sistence_via_hidden_run_key_valuename.toml | 21 +- ...sa_security_support_provider_registry.toml | 19 +- ...emetrycontroller_scheduledtask_hijack.toml | 31 +- ...ia_update_orchestrator_service_hijack.toml | 17 +- ...nt_instrumentation_event_subscription.toml | 25 +- ...tence_via_wmi_stdregprov_run_services.toml | 14 +- ...ia_xp_cmdshell_mssql_stored_procedure.toml | 31 +- .../persistence_webshell_detection.toml | 40 +- .../persistence_werfault_reflectdebugger.toml | 17 +- ...tion_create_process_as_different_user.toml | 4 +- ...tion_create_process_with_token_unpriv.toml | 18 +- ...privilege_escalation_credroaming_ldap.toml | 13 +- ...ilege_escalation_disable_uac_registry.toml | 27 +- ...ege_escalation_driver_newterm_imphash.toml | 36 +- ...lege_escalation_expired_driver_loaded.toml | 19 +- ...lege_escalation_exploit_cve_202238028.toml | 24 +- ...calation_gpo_schtask_service_creation.toml | 16 +- ...ege_escalation_group_policy_iniscript.toml | 6 +- ...lation_group_policy_privileged_groups.toml | 6 +- ...scalation_group_policy_scheduled_task.toml | 9 +- ...rivilege_escalation_installertakeover.toml | 14 +- ...scalation_krbrelayup_service_creation.toml | 14 +- ...privilege_escalation_lsa_auth_package.toml | 13 +- ...privilege_escalation_make_token_local.toml | 9 +- ...e_escalation_named_pipe_impersonation.toml | 14 +- ...scalation_newcreds_logon_rare_process.toml | 14 +- ...ge_escalation_persistence_phantom_dll.toml | 10 +- ...ion_port_monitor_print_pocessor_abuse.toml | 15 +- ...e_escalation_posh_token_impersonation.toml | 13 +- ...ation_printspooler_registry_copyfiles.toml | 15 +- ..._printspooler_service_suspicious_file.toml | 15 +- ...printspooler_suspicious_file_deletion.toml | 15 +- ...tion_printspooler_suspicious_spl_file.toml | 15 +- ...calation_rogue_windir_environment_var.toml | 14 +- ...lation_samaccountname_spoofing_attack.toml | 16 +- ...on_service_control_spawned_script_int.toml | 36 +- ...alation_suspicious_dnshostname_update.toml | 14 +- ...lation_tokenmanip_sedebugpriv_enabled.toml | 4 +- ...lege_escalation_uac_bypass_com_clipup.toml | 18 +- ...ge_escalation_uac_bypass_com_ieinstal.toml | 19 +- ...n_uac_bypass_com_interface_icmluautil.toml | 18 +- ...alation_uac_bypass_diskcleanup_hijack.toml | 25 +- ...escalation_uac_bypass_dll_sideloading.toml | 19 +- ...ge_escalation_uac_bypass_event_viewer.toml | 24 +- ...ege_escalation_uac_bypass_mock_windir.toml | 43 +- ...scalation_uac_bypass_winfw_mmc_hijack.toml | 36 +- ...lege_escalation_unquoted_service_path.toml | 15 +- ...tion_unusual_parentchild_relationship.toml | 22 +- ...ion_unusual_printspooler_childprocess.toml | 13 +- ...n_unusual_svchost_childproc_childless.toml | 16 +- ...rivilege_escalation_via_ppid_spoofing.toml | 12 +- ...ilege_escalation_via_rogue_named_pipe.toml | 12 +- .../privilege_escalation_via_token_theft.toml | 12 +- ...on_windows_service_via_unusual_client.toml | 4 +- ...collection_archive_data_zip_imageload.toml | 20 +- ...ction_common_compressed_archived_file.toml | 76 +- ...tion_files_staged_in_recycle_bin_root.toml | 27 +- ...n_linux_suspicious_clipboard_activity.toml | 35 +- .../collection_outlook_email_archive.toml | 26 +- ...ommand_and_control_bitsadmin_activity.toml | 21 +- ...d_control_certutil_network_connection.toml | 4 +- ..._and_control_linux_ssh_x11_forwarding.toml | 30 +- ...nd_and_control_non_standard_http_port.toml | 57 +- .../credential_access_mdmp_file_creation.toml | 18 +- ...al_access_mdmp_file_unusual_extension.toml | 22 +- ...dential_access_win_private_key_access.toml | 23 +- ...ense_evasion_cmd_copy_binary_contents.toml | 29 +- .../defense_evasion_cmstp_execution.toml | 22 +- ...rading_unusual_archive_file_extension.toml | 20 +- ...ication_apps_suspicious_child_process.toml | 23 +- ..._creation_of_hidden_files_directories.toml | 37 +- .../defense_evasion_dll_hijack.toml | 20 +- ...evasion_dotnet_clickonce_dfsvc_netcon.toml | 28 +- ...fense_evasion_download_susp_extension.toml | 45 +- ...cution_via_visualstudio_prebuildevent.toml | 31 +- ..._evasion_file_permission_modification.toml | 20 +- .../defense_evasion_generic_deletion.toml | 21 +- ...indirect_command_exec_pcalua_forfiles.toml | 29 +- ...fense_evasion_injection_from_msoffice.toml | 29 +- ..._evasion_installutil_command_activity.toml | 25 +- ...se_evasion_invalid_codesign_imageload.toml | 21 +- ...defense_evasion_masquerading_browsers.toml | 22 +- ...squerading_unusual_exe_file_extension.toml | 19 +- .../defense_evasion_masquerading_vlc_dll.toml | 23 +- ...ense_evasion_masquerading_windows_dll.toml | 25 +- ...ion_masquerading_windows_system32_exe.toml | 24 +- ...fense_evasion_msdt_suspicious_diagcab.toml | 49 +- ...on_msiexec_installsource_archive_file.toml | 22 +- ...vasion_processes_with_trailing_spaces.toml | 37 +- ...nse_evasion_service_disabled_registry.toml | 12 +- ...defense_evasion_service_path_registry.toml | 23 +- .../defense_evasion_services_exe_path.toml | 23 +- ..._evasion_suspicious_msiexec_execution.toml | 27 +- .../defense_evasion_unsigned_bits_client.toml | 38 +- ...nse_evasion_unusual_process_extension.toml | 26 +- ...nse_evasion_unusual_process_path_wbem.toml | 31 +- .../defense_evasion_write_dac_access.toml | 35 +- ...iscovery_files_dir_systeminfo_via_cmd.toml | 36 +- .../discovery_generic_account_groups.toml | 37 +- .../discovery_generic_process_discovery.toml | 35 +- .../discovery_generic_registry_query.toml | 27 +- .../discovery_hosts_file_access.toml | 31 +- .../discovery_internet_capabilities.toml | 29 +- ...ry_kernel_module_enumeration_via_proc.toml | 31 +- .../discovery_linux_modprobe_enumeration.toml | 31 +- .../discovery_linux_sysctl_enumeration.toml | 31 +- ...ry_linux_system_information_discovery.toml | 29 +- ...ery_linux_system_owner_user_discovery.toml | 29 +- .../discovery_net_share_discovery_winlog.toml | 22 +- rules_building_block/discovery_net_view.toml | 34 +- ..._accounts_or_groups_via_builtin_tools.toml | 39 +- .../discovery_of_domain_groups.toml | 29 +- .../discovery_posh_password_policy.toml | 21 +- ..._post_exploitation_external_ip_lookup.toml | 29 +- ...ery_potential_memory_seeking_activity.toml | 25 +- ...y_process_discovery_via_builtin_tools.toml | 31 +- ...ote_system_discovery_commands_windows.toml | 29 +- .../discovery_security_software_wmic.toml | 43 +- .../discovery_signal_unusual_user_host.toml | 24 +- ...overy_suspicious_memory_grep_activity.toml | 27 +- ...discovery_suspicious_proc_enumeration.toml | 27 +- .../discovery_system_network_connections.toml | 31 +- .../discovery_system_service_discovery.toml | 40 +- .../discovery_system_time_discovery.toml | 37 +- .../discovery_win_network_connections.toml | 28 +- ..._windows_system_information_discovery.toml | 26 +- ...ution_github_new_event_action_for_pat.toml | 28 +- ...n_github_new_repo_interaction_for_pat.toml | 28 +- ..._github_new_repo_interaction_for_user.toml | 28 +- .../execution_github_repo_created.toml | 25 +- ...n_github_repo_interaction_from_new_ip.toml | 30 +- .../execution_linux_segfault.toml | 16 +- ...ution_settingcontent_ms_file_creation.toml | 40 +- .../execution_unix_socket_communication.toml | 39 +- ...execution_unsigned_service_executable.toml | 37 +- .../execution_wmi_wbemtest.toml | 27 +- ...thub_member_removed_from_organization.toml | 27 +- .../impact_github_pat_access_revoked.toml | 27 +- ...github_user_blocked_from_organization.toml | 27 +- .../initial_access_cross_site_scripting.toml | 15 +- ..._access_github_new_ip_address_for_pat.toml | 31 +- ...access_github_new_ip_address_for_user.toml | 31 +- ..._access_github_new_user_agent_for_pat.toml | 31 +- ...access_github_new_user_agent_for_user.toml | 31 +- rules_building_block/lateral_movement_at.toml | 32 +- ...ral_movement_rdp_conn_unusual_process.toml | 21 +- ...movement_unusual_process_sql_accounts.toml | 30 +- .../lateral_movement_wmic_remote.toml | 25 +- ...e_aws_iam_login_profile_added_to_user.toml | 25 +- ...persistence_creation_of_kernel_module.toml | 33 +- .../persistence_github_new_pat_for_user.toml | 31 +- ...github_new_user_added_to_organization.toml | 29 +- .../persistence_startup_folder_lnk.toml | 18 +- .../persistence_transport_agent_exchange.toml | 43 +- .../privilege_escalation_trap_execution.toml | 33 +- tests/test_all_rules.py | 10 +- 1036 files changed, 12346 insertions(+), 11392 deletions(-) create mode 100644 docs/versioning.md diff --git a/.github/workflows/lock-versions.yml b/.github/workflows/lock-versions.yml index bda7d3dbe..1dfd97ad7 100644 --- a/.github/workflows/lock-versions.yml +++ b/.github/workflows/lock-versions.yml @@ -6,7 +6,7 @@ on: description: 'List of branches to lock versions (ordered, comma separated)' required: true # 7.17 was intentionally skipped because it was added late and was bug fix only - default: '8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13,8.14' + default: '8.9,8.10,8.11,8.12,8.13,8.14' jobs: pr: diff --git a/detection_rules/devtools.py b/detection_rules/devtools.py index 71bd2f218..7befb9d1a 100644 --- a/detection_rules/devtools.py +++ b/detection_rules/devtools.py @@ -812,8 +812,9 @@ def update_navigator_gists(directory: Path, token: str, gist_id: str, print_mark @dev_group.command('trim-version-lock') @click.argument('stack_version') +@click.option('--skip-rule-updates', is_flag=True, help='Skip updating the rules') @click.option('--dry-run', is_flag=True, help='Print the changes rather than saving the file') -def trim_version_lock(stack_version: str, dry_run: bool): +def trim_version_lock(stack_version: str, skip_rule_updates: bool, dry_run: bool): """Trim all previous entries within the version lock file which are lower than the min_version.""" stack_versions = get_stack_versions() assert stack_version in stack_versions, \ @@ -821,36 +822,78 @@ def trim_version_lock(stack_version: str, dry_run: bool): min_version = Version.parse(stack_version) version_lock_dict = default_version_lock.version_lock.to_dict() - removed = {} + removed = defaultdict(list) + rule_msv_drops = [] + + today = time.strftime('%Y/%m/%d') + rc: RuleCollection | None = None + if dry_run: + rc = RuleCollection() + else: + if not skip_rule_updates: + click.echo('Loading rules ...') + rc = RuleCollection.default() for rule_id, lock in version_lock_dict.items(): + file_min_stack: Version | None = None + if 'min_stack_version' in lock: + file_min_stack = Version.parse((lock['min_stack_version']), optional_minor_and_patch=True) + if file_min_stack <= min_version: + removed[rule_id].append( + f'locked min_stack_version <= {min_version} - {"will remove" if dry_run else "removing"}!' + ) + rule_msv_drops.append(rule_id) + file_min_stack = None + + if not dry_run: + lock.pop('min_stack_version') + if not skip_rule_updates: + # remove the min_stack_version and min_stack_comments from rules as well (and update date) + rule = rc.id_map.get(rule_id) + if rule: + new_meta = dataclasses.replace( + rule.contents.metadata, + updated_date=today, + min_stack_version=None, + min_stack_comments=None + ) + contents = dataclasses.replace(rule.contents, metadata=new_meta) + new_rule = TOMLRule(contents=contents, path=rule.path) + new_rule.save_toml() + removed[rule_id].append('rule min_stack_version dropped') + else: + removed[rule_id].append('rule not found to update!') + if 'previous' in lock: prev_vers = [Version.parse(v, optional_minor_and_patch=True) for v in list(lock['previous'])] - outdated_vers = [f"{v.major}.{v.minor}" for v in prev_vers if v < min_version] + outdated_vers = [v for v in prev_vers if v < min_version] if not outdated_vers: continue # we want to remove all "old" versions, but save the latest that is >= the min version supplied as the new # stack_version. + latest_version = max(outdated_vers) - if dry_run: - outdated_minus_current = [str(v) for v in outdated_vers if v < stack_version] - if outdated_minus_current: - removed[rule_id] = outdated_minus_current for outdated in outdated_vers: - popped = lock['previous'].pop(str(outdated)) - if outdated >= stack_version: - lock['previous'][str(Version(stack_version[:2]))] = popped + short_outdated = f"{outdated.major}.{outdated.minor}" + popped = lock['previous'].pop(str(short_outdated)) + # the core of the update - we only need to keep previous entries that are newer than the min supported + # version (from stack-schema-map and stack-version parameter) and older than the locked + # min_stack_version for a given rule, if one exists + if file_min_stack and outdated == latest_version and outdated < file_min_stack: + lock['previous'][f'{min_version.major}.{min_version.minor}'] = popped + removed[rule_id].append(f'{short_outdated} updated to: {min_version.major}.{min_version.minor}') + else: + removed[rule_id].append(f'{outdated} dropped') # remove the whole previous entry if it is now blank if not lock['previous']: lock.pop('previous') - if dry_run: - click.echo(f'The following versions would be collapsed to {stack_version}:' if removed else 'No changes') - click.echo('\n'.join(f'{k}: {", ".join(v)}' for k, v in removed.items())) - else: + click.echo(f'Changes {"that will be " if dry_run else ""} applied:' if removed else 'No changes') + click.echo('\n'.join(f'{k}: {", ".join(v)}' for k, v in removed.items())) + if not dry_run: new_lock = VersionLockFile.from_dict(dict(data=version_lock_dict)) new_lock.save_to_file() diff --git a/detection_rules/etc/stack-schema-map.yaml b/detection_rules/etc/stack-schema-map.yaml index 9daf9547d..f2ea604e4 100644 --- a/detection_rules/etc/stack-schema-map.yaml +++ b/detection_rules/etc/stack-schema-map.yaml @@ -42,39 +42,38 @@ # beats: "8.2.1" # ecs: "8.2.1" # endgame: "1.9.0" +# "8.3.0": +# beats: "8.3.3" +# ecs: "8.3.1" +# endgame: "1.9.0" + +# "8.4.0": +# beats: "8.4.3" +# ecs: "8.4.0" +# endgame: "8.4.0" + +# "8.5.0": +# beats: "8.5.3" +# ecs: "8.5.2" +# endgame: "8.4.0" + +# "8.6.0": +# beats: "8.6.1" +# ecs: "8.6.1" +# endgame: "8.4.0" + +# "8.7.0": +# beats: "8.7.0" +# ecs: "8.7.0" +# endgame: "8.4.0" + +# "8.8.0": +# beats: "8.8.2" +# ecs: "8.8.0" +# endgame: "8.4.0" ## Supported -"8.3.0": - beats: "8.3.3" - ecs: "8.3.1" - endgame: "1.9.0" - -"8.4.0": - beats: "8.4.3" - ecs: "8.4.0" - endgame: "8.4.0" - -"8.5.0": - beats: "8.5.3" - ecs: "8.5.2" - endgame: "8.4.0" - -"8.6.0": - beats: "8.6.1" - ecs: "8.6.1" - endgame: "8.4.0" - -"8.7.0": - beats: "8.7.0" - ecs: "8.7.0" - endgame: "8.4.0" - -"8.8.0": - beats: "8.8.2" - ecs: "8.8.0" - endgame: "8.4.0" - "8.9.0": beats: "8.9.0" ecs: "8.9.0" diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index d28d74a83..b59efb5d6 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -2,7 +2,7 @@ "000047bb-b27a-47ec-8b62-ef1a5d2c9e19": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 206, "rule_name": "Attempt to Modify an Okta Policy Rule", "sha256": "ab816235d1086e87acda877a4f3bc72e72af952ecf7a40b59d2d45991812ef73", @@ -16,346 +16,258 @@ "version": 207 }, "00140285-b827-4aee-aa09-8113f58a08f3": { - "min_stack_version": "8.3", "rule_name": "Potential Credential Access via Windows Utilities", "sha256": "ac7d08baf88d495e5767d5845ee47e22b500b643e11ca7e806309d30e958a1fc", "type": "eql", "version": 112 }, "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { - "min_stack_version": "8.3", "rule_name": "System Shells via Services", "sha256": "6685da19ff0ea1ee48d11d6029d1c69a780149fe7f8d8d9b2f60ed9766f28e71", "type": "eql", "version": 110 }, "00678712-b2df-11ed-afe9-f661ea17fbcc": { - "min_stack_version": "8.4", "rule_name": "Google Workspace Suspended User Account Renewed", "sha256": "cfbc6ffe95e39937d68146e42f932947e2c3c96cc9a42ab296e12bc8c613f5f1", "type": "query", "version": 2 }, "0136b315-b566-482f-866c-1d8e2477ba16": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft 365 User Restricted from Sending Email", - "sha256": "3801a06e2eb380734652847208adb12ceb5e1bb394da148a047b8a25afe3bc17", - "type": "query", - "version": 106 - } - }, "rule_name": "Microsoft 365 User Restricted from Sending Email", "sha256": "35df6afe89ac91c72e0499d991574f17f0b1d4567e874f7e65976b6828bfac4f", "type": "query", "version": 206 }, "015cca13-8832-49ac-a01b-a396114809f6": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS Redshift Cluster Creation", - "sha256": "7a1faa4c3dfde300711d7bb69b6a93b8e64a3d33cc83a37a3d5cfcf6d9b09b2d", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS Redshift Cluster Creation", "sha256": "4b8809bf7107aa3e8169d82047acb52c422c663b159574d29a8176d7a9fb6dca", "type": "query", "version": 206 }, "0171f283-ade7-4f87-9521-ac346c68cc9b": { - "min_stack_version": "8.3", "rule_name": "Potential Network Scan Detected", "sha256": "931bd95c0fff284b33e383dce3f3fccaf7b0c36b8b6b946b1c39ff5ded2aa8e1", "type": "threshold", "version": 5 }, "01c49712-25bc-49d2-a27d-d7ce52f5dc49": { - "min_stack_version": "8.6", "rule_name": "First Occurrence of GitHub User Interaction with Private Repo", "sha256": "adb33991bc7e05efa461ee20ccaa7ac960c540154ae482921c711a1e850b06cf", "type": "new_terms", "version": 1 }, "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { - "min_stack_version": "8.3", "rule_name": "Potential Cookies Theft via Browser Debugging", "sha256": "0ae709b171f47f1273c0e0cdc34fd30e5b64862da6d9840ff006ba59d85f9b10", "type": "eql", "version": 105 }, "0294f105-d7af-4a02-ae90-35f56763ffa2": { - "min_stack_version": "8.8", "rule_name": "First Occurrence of GitHub Repo Interaction From a New IP", "sha256": "5c428cb19c48c4a48a019d8275c5361269f5caba6736aec0a5304d2790f5789c", "type": "new_terms", "version": 1 }, "02a23ee7-c8f8-4701-b99d-e9038ce313cb": { - "min_stack_version": "8.4", "rule_name": "Process Created with an Elevated Token", "sha256": "a08170ff704e6eee3ac998cc9775b0a089926b6ba906ba421faa17c0c11a47db", "type": "eql", "version": 6 }, "02a4576a-7480-4284-9327-548a806b5e48": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", - "sha256": "8f8844fda927ba3149c7d983e7f7619e33e5745f8b1f389c0e10f3b6ba852e0a", - "type": "eql", - "version": 106 - } - }, "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", "sha256": "08ccb0b77ba1240408e1418cf800f0677b541367930b3cb9a986a4adfcbe2dac", "type": "eql", "version": 208 }, "02bab13d-fb14-4d7c-b6fe-4a28874d37c5": { - "min_stack_version": "8.3", "rule_name": "Potential Ransomware Note File Dropped via SMB", "sha256": "dafd8f85b8e37f96aaabd0405826cb232ac4c2f22571f2878d3a875a0e141da8", "type": "eql", "version": 1 }, "02ea4563-ec10-4974-b7de-12e65aa4f9b3": { - "min_stack_version": "8.3", "rule_name": "Dumping Account Hashes via Built-In Commands", "sha256": "450f7c6f060ecb022c4c2e14be6190a34524d0c07a56809370cfbd62e51f85bb", "type": "query", "version": 106 }, "03024bd9-d23f-4ec1-8674-3cf1a21e130b": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", - "sha256": "f0f075e54cb17ce304f0d93b12277a29c7b1454d8bec5c05615e31fc6ebee725", - "type": "query", - "version": 106 - } - }, "rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", "sha256": "74d0cdf9039c5f529d26a7d3c4c076e387ed8e163e3ae7e021feb78bbd355573", "type": "query", "version": 206 }, "035889c4-2686-4583-a7df-67f89c292f2c": { - "min_stack_version": "8.3", "rule_name": "High Number of Process and/or Service Terminations", "sha256": "5bb8f568879a496363f640b8866b46e0a39fe4e15005cab6f5af9eb499e3584d", "type": "threshold", "version": 109 }, "035a6f21-4092-471d-9cda-9e379f459b1e": { - "min_stack_version": "8.3", "rule_name": "Potential Memory Seeking Activity", "sha256": "4fa0b41dabe97414e45d4ae961a4c4fd9c445bca04d51659e7251547e80fe258", "type": "eql", "version": 2 }, "0369e8a6-0fa7-4e7a-961a-53180a4c966e": { - "min_stack_version": "8.3", "rule_name": "Suspicious Dynamic Linker Discovery via od", "sha256": "4ae40153ed65b4fdddee0a5528f9123c100ef8e2ba1710993374975e3b6320d8", "type": "eql", "version": 2 }, "03a514d9-500e-443e-b6a9-72718c548f6c": { - "min_stack_version": "8.8", "rule_name": "SSH Process Launched From Inside A Container", "sha256": "f4b1b23b638e8ea812f6cf173daedccc2a82fb1df5feeca4e6723b6726052c4d", "type": "eql", "version": 2 }, "03c23d45-d3cb-4ad4-ab5d-b361ffe8724a": { - "min_stack_version": "8.3", "rule_name": "Potential Network Scan Executed From Host", "sha256": "d8d678cf5d5ac1994120d5171bc69702a7acd37f5bb9611dd14a19a952652ea4", "type": "threshold", "version": 3 }, "0415f22a-2336-45fa-ba07-618a5942e22c": { - "min_stack_version": "8.3", "rule_name": "Modification of OpenSSH Binaries", "sha256": "ceef6d0c728c9575da9bd78da19050dc7e02eaee57eca642272639b91d863494", "type": "query", "version": 109 }, "041d4d41-9589-43e2-ba13-5680af75ebc2": { - "min_stack_version": "8.3", "rule_name": "Deprecated - Potential DNS Tunneling via Iodine", "sha256": "bee1691d491fbbea753a91ebb85df78974469ba5769d4a517e72420787563047", "type": "query", "version": 105 }, "04c5a96f-19c5-44fd-9571-a0b033f9086f": { - "min_stack_version": "8.3", "rule_name": "Azure AD Global Administrator Role Assigned", "sha256": "fd3270ab237a24dde97ddba5bd81bde19c086742e131a59117fa0e610f05bef9", "type": "query", "version": 102 }, "053a0387-f3b5-4ba5-8245-8002cca2bd08": { - "min_stack_version": "8.3", "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", "sha256": "08eeec4ed1f73497e06767edc13231268e1d647f7b29f0401175d1618d04affa", "type": "eql", "version": 110 }, "054db96b-fd34-43b3-9af2-587b3bd33964": { - "min_stack_version": "8.6", "rule_name": "Potential Persistence Through Systemd-udevd", "sha256": "f62fb7313ec0d7a280a370adae0caf8ba65410a71d6574ade7ab588a95963763", "type": "new_terms", "version": 3 }, "0564fb9d-90b9-4234-a411-82a546dc1343": { - "min_stack_version": "8.3", "rule_name": "Microsoft IIS Service Account Password Dumped", "sha256": "a85b92effa53537c7a86f7871455c176bc2c48a6928248fa29dcf8a548677730", "type": "eql", "version": 110 }, "05b358de-aa6d-4f6c-89e6-78f74018b43b": { - "min_stack_version": "8.3", "rule_name": "Conhost Spawned By Suspicious Parent Process", "sha256": "0437ed81150e42654cb33e6ad318152edb266126d44225341bc12cc678bc578e", "type": "eql", "version": 110 }, "05cad2fb-200c-407f-b472-02ea8c9e5e4a": { - "min_stack_version": "8.3", "rule_name": "Tainted Kernel Module Load", "sha256": "ce113c2fec8fb1bd012edc6533530b5ebe0b8145fa062e4e77c0a909435c6bf4", "type": "query", "version": 4 }, "05e5a668-7b51-4a67-93ab-e9af405c9ef3": { - "min_stack_version": "8.3", "rule_name": "Interactive Terminal Spawned via Perl", "sha256": "e7a0bce29457ba5f1e9159d5e17e7344da87a83b390be4e989e842573acca754", "type": "query", "version": 108 }, "0635c542-1b96-4335-9b47-126582d2c19a": { - "min_stack_version": "8.3", "rule_name": "Remote System Discovery Commands", "sha256": "b86728d65216af8f9dfa8912908f8a4225fdff95bd52dd63c2483d7bdd8385b4", "type": "eql", "version": 112 }, "06568a02-af29-4f20-929c-f3af281e41aa": { - "min_stack_version": "8.3", "rule_name": "System Time Discovery", "sha256": "c26f50ed371b312a315bf0bbbc399f65d446218ecd7f63e471538c0e145ea7c9", "type": "eql", "version": 7 }, "0678bc9c-b71a-433b-87e6-2f664b6b3131": { - "min_stack_version": "8.9", "rule_name": "Unusual Remote File Size", "sha256": "db958e84da3e58cefee53ec77d608ff51199a4e721318451ce091585bb908cc1", "type": "machine_learning", "version": 3 }, "06a7a03c-c735-47a6-a313-51c354aef6c3": { - "min_stack_version": "8.3", "rule_name": "Enumerating Domain Trusts via DSQUERY.EXE", "sha256": "4e653f97afcad71acd94ddf79e5534455c79986773fc543839900cc60e129d88", "type": "eql", "version": 7 }, "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { - "min_stack_version": "8.3", "rule_name": "Potential Evasion via Filter Manager", "sha256": "547a848b0b1c9458a6a838abb3430914bb8557a0b1bd030f11d882f5605e024c", "type": "eql", "version": 110 }, "074464f9-f30d-4029-8c03-0ed237fffec7": { - "min_stack_version": "8.3", "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", "sha256": "4682c4aac80de38bf56894acd47cac808366a9f47329763291361bb23756d3a8", "type": "eql", "version": 110 }, "07639887-da3a-4fbf-9532-8ce748ff8c50": { - "min_stack_version": "8.3", "rule_name": "GitHub Protected Branch Settings Changed", "sha256": "092ecb6ac6f1197744e2e114398553fa810674561481b66f9665c3ed95ff0017", "type": "eql", "version": 2 }, "0787daa6-f8c5-453b-a4ec-048037f6c1cd": { - "min_stack_version": "8.3", "rule_name": "Suspicious Proc Pseudo File System Enumeration", "sha256": "9dfcd341fcbfb91ac853a20da424eeb340c470adbfda7667e5f86e796de58ce5", "type": "threshold", "version": 7 }, "07b1ef73-1fde-4a49-a34a-5dd40011b076": { - "min_stack_version": "8.3", "rule_name": "Local Account TokenFilter Policy Disabled", "sha256": "1a734f41fd03d0ba5772ea20c1ee6db1efa178fc9f2c859a901c9c597ffaec46", "type": "eql", "version": 8 }, "07b5f85a-240f-11ed-b3d9-f661ea17fbce": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 103, - "rule_name": "Google Drive Ownership Transferred via Google Workspace", - "sha256": "4ec0b63c545009d7d16d34cd9b95f34edbcf4135f498aa77a805f544b07e6310", - "type": "query", - "version": 5 - } - }, "rule_name": "Google Drive Ownership Transferred via Google Workspace", "sha256": "9df4d9a342110c032419b2564bf6376a9357291ca8b3ead073faf9e5214419e6", "type": "query", "version": 106 }, "080bc66a-5d56-4d1f-8071-817671716db9": { - "min_stack_version": "8.3", "rule_name": "Suspicious Browser Child Process", - "sha256": "1678ce85ef34f778c0a71b6aec184f3f30550c0c641544c922f4ae9eee9dd5be", + "sha256": "1678ce85ef34f778c0a71b6aec184f3f30550c0c641544c922f4ae9eee9dd5be", "type": "eql", "version": 107 }, "082e3f8c-6f80-485c-91eb-5b112cb79b28": { - "min_stack_version": "8.3", "rule_name": "Launch Agent Creation or Modification and Immediate Loading", "sha256": "e27de95651bbdd93ef96aab3c00d5d496a005ac796a8a277a28331ad9552a879", "type": "eql", "version": 106 }, "083fa162-e790-4d85-9aeb-4fea04188adb": { - "min_stack_version": "8.3", "rule_name": "Suspicious Hidden Child Process of Launchd", "sha256": "997d8ce81fcbd8b47fa77b50434bd99ba1c4606f6d935a4af76098e5d9c28ece", "type": "query", "version": 106 }, "0859355c-0f08-4b43-8ff5-7d2a4789fc08": { - "min_stack_version": "8.4", "rule_name": "First Time Seen Removable Device", "sha256": "085b5157400c5090fec630066b9c606cb33fa8334b9c49babca8242399a11b91", "type": "new_terms", "version": 4 }, "089db1af-740d-4d84-9a5b-babd6de143b0": { - "min_stack_version": "8.3", "rule_name": "Windows Account or Group Discovery", "sha256": "45048599d6d9175e13e297d71afbd3a7d4d80e6d6421abd188c563a5c862bfbb", "type": "eql", @@ -368,21 +280,18 @@ "version": 100 }, "092b068f-84ac-485d-8a55-7dd9e006715f": { - "min_stack_version": "8.3", "rule_name": "Creation of Hidden Launch Agent or Daemon", "sha256": "bd61ec617f7cc0e401d2a89073a35ae316baab560f044fda528a0a38bbd2c993", "type": "eql", "version": 107 }, "09443c92-46b3-45a4-8f25-383b028b258d": { - "min_stack_version": "8.3", "rule_name": "Process Termination followed by Deletion", "sha256": "8628999b147b10ff30f618a79c4aee2123744abc0e2bb05cc8c98d11017145ad", "type": "eql", "version": 109 }, "095b6a58-8f88-4b59-827c-ab584ad4e759": { - "min_stack_version": "8.3", "rule_name": "Member Removed From GitHub Organization", "sha256": "425013c02e030ebacc0fd4c5249f59222b5afe82c2e8f03b6a1cc1139bdf917a", "type": "eql", @@ -395,21 +304,18 @@ "version": 100 }, "09bc6c90-7501-494d-b015-5d988dc3f233": { - "min_stack_version": "8.3", "rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory", "sha256": "bdc3b02c0073ad81ac689ad056327c1e74d84408ac65b51b4738e1fc7c3b5d13", "type": "eql", "version": 4 }, "09d028a5-dcde-409f-8ae0-557cef1b7082": { - "min_stack_version": "8.3", "rule_name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted", "sha256": "08faf9e24053c3b8463889e3c47cec194c8acedaad33ce17bc7acd6ac50c3a53", "type": "query", "version": 102 }, "0a97b20f-4144-49ea-be32-b540ecc445de": { - "min_stack_version": "8.3", "rule_name": "Malware - Detected - Elastic Endgame", "sha256": "6e5837c5ce6d6866ed28e8c33e2bd9945580de7462f25874b585d7f96997daa2", "type": "query", @@ -425,7 +331,7 @@ "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": { "min_stack_version": "8.12", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 105, "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", "sha256": "434f9932a025ca56e9e7088380e4e35b25f922c6694252391c071315e7c84f14", @@ -439,58 +345,42 @@ "version": 106 }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { - "min_stack_version": "8.3", "rule_name": "Anomalous Windows Process Creation", "sha256": "a97e8495484e9053dfe57d0b3b3e2cc47984f3e326f8bce2c00bcab788337579", "type": "machine_learning", "version": 105 }, "0b2f3da5-b5ec-47d1-908b-6ebb74814289": { - "min_stack_version": "8.3", "rule_name": "User account exposed to Kerberoasting", "sha256": "830231e34039027f460477ed025efa9ef0a7efb45b9d97d43080f7d9deceeec3", "type": "query", "version": 109 }, "0b803267-74c5-444d-ae29-32b5db2d562a": { - "min_stack_version": "8.3", "rule_name": "Potential Shell via Wildcard Injection Detected", "sha256": "d23957bdc3e4530971529039105978c60ef34d1dda87b408528c03a1d39da1ca", "type": "eql", "version": 5 }, "0c093569-dff9-42b6-87b1-0242d9f7d9b4": { - "min_stack_version": "8.3", "rule_name": "Processes with Trailing Spaces", "sha256": "29769b5de5c0ab41be457818db9d6f387037ff6423addf05789011df15cbf286", "type": "eql", "version": 2 }, "0c41e478-5263-4c69-8f9e-7dfd2c22da64": { - "min_stack_version": "8.5", "rule_name": "Threat Intel IP Address Indicator Match", "sha256": "cd59f82b14abfb2a445bdd96682846602eb2f8abc1ef27f64dda99f452f99290", "type": "threat_match", "version": 6 }, "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { - "min_stack_version": "8.3", "rule_name": "Peripheral Device Discovery", "sha256": "f01eac25f9c7d222bc6e12ea4b86f7b4a06d4b76608183e9be91aaf9671427b7", "type": "eql", "version": 109 }, "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": { - "min_stack_version": "8.5", - "previous": { - "8.3": { - "max_allowable_version": 203, - "rule_name": "Threat Intel Indicator Match", - "sha256": "7d0bb73186b47e9fa99ec5b21fe2b862b5cbd6432100901fc476e30bced047a3", - "type": "threat_match", - "version": 105 - } - }, "rule_name": "Deprecated - Threat Intel Indicator Match", "sha256": "ec5023dc861db76d527d73f0343ba6a97b38c94f47aaa698929029d922d98e6a", "type": "threat_match", @@ -504,97 +394,60 @@ "version": 1 }, "0ce6487d-8069-4888-9ddd-61b52490cebc": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "O365 Exchange Suspicious Mailbox Right Delegation", - "sha256": "2dfc5642c7eff9f946739bbe4289e5bd8fe6f4374a492ed1fc5215e7b6e721ff", - "type": "query", - "version": 106 - } - }, "rule_name": "O365 Exchange Suspicious Mailbox Right Delegation", "sha256": "68fc02b03cbb322ff078a6a531807bf5fe21ae93726dad1ea16c11ed71d4c746", "type": "query", "version": 206 }, "0d160033-fab7-4e72-85a3-3a9d80c8bff7": { - "min_stack_version": "8.3", "rule_name": "Multiple Alerts Involving a User", "sha256": "43984fe31af84306a2a8266b867a70c8b185159a7419988e7211ff4a74fde252", "type": "threshold", "version": 3 }, "0d69150b-96f8-467c-a86d-a67a3378ce77": { - "min_stack_version": "8.3", "rule_name": "Nping Process Activity", "sha256": "b3f71d6cd3a2c3a2f492e825c65e78db5b3faa4eefed530678b5c504496230ec", "type": "eql", "version": 108 }, "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": { - "min_stack_version": "8.3", "rule_name": "Execution of File Written or Modified by Microsoft Office", "sha256": "e6fecbbaa834a04e699f62857b0e60f7e8c9bb3cb40d033165265ace22ac1cbb", "type": "eql", "version": 110 }, "0e4367a0-a483-439d-ad2e-d90500b925fd": { - "min_stack_version": "8.8", "rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)", "sha256": "87d0a19367e8add592f2100c95bd1076e0a1aea6b46d62bc39297eb59dffb3b8", "type": "new_terms", "version": 1 }, "0e52157a-8e96-4a95-a6e3-5faae5081a74": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "SharePoint Malware File Upload", - "sha256": "e32858e7a0449a506cfe595eabf2e1e82954cf683de287c05d0bf7295253c579", - "type": "query", - "version": 106 - } - }, "rule_name": "SharePoint Malware File Upload", "sha256": "815889da8ead699edd9b19124c697cd9038a641d065cf2dbfef062e81dfb5393", "type": "query", "version": 206 }, "0e5acaae-6a64-4bbc-adb8-27649c03f7e1": { - "min_stack_version": "8.3", "rule_name": "GCP Service Account Key Creation", "sha256": "ffe1bc8de6ff95c0fd9bb67fb93eace9b0ba96055cbf863fe0286dd7b033061b", "type": "query", "version": 104 }, "0e79980b-4250-4a50-a509-69294c14e84b": { - "min_stack_version": "8.3", "rule_name": "MsBuild Making Network Connections", "sha256": "c8013d923873ed418f022b29c77bb4c548a392af89e2a3cd747186d534386880", "type": "eql", "version": 109 }, "0f4d35e4-925e-4959-ab24-911be207ee6f": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 102, - "rule_name": "RC Script Creation", - "sha256": "56ff748867dc738357a731cfd37b4ae44c954383780d616e3d9034aed76dd9e1", - "type": "eql", - "version": 6 - } - }, "rule_name": "Potential Persistence Through Run Control Detected", "sha256": "6feb69680930d9a84dce295a56510b4938d7455565609a55b6f340a60f9eee5b", "type": "new_terms", "version": 110 }, "0f56369f-eb3d-459c-a00b-87c2bf7bdfc5": { - "min_stack_version": "8.3", "rule_name": "Netcat Listener Established via rlwrap", "sha256": "1f0f4f689d14c5e8a3b4843b2eeaad564fbc252458ad52473fa7fdcee3d19147", "type": "eql", @@ -607,30 +460,18 @@ "version": 100 }, "0f93cb9a-1931-48c2-8cd0-f173fd3e5283": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", - "sha256": "62abee660a99e58c72f6c4c79047fea8effc510ba10448a766fc3d03d4a36720", - "type": "threshold", - "version": 106 - } - }, "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", "sha256": "47d7607c096aab4bd73fbeb257e8746ed0ebb08d3f0e1cf65c62bc978d545735", "type": "threshold", "version": 208 }, "0ff84c42-873d-41a2-a4ed-08d74d352d01": { - "min_stack_version": "8.3", "rule_name": "Privilege Escalation via Root Crontab File Modification", "sha256": "77aa00047d7d61f2d5e30b916036032f69c56b68731a43c72c0c8f18adf55895", "type": "query", "version": 106 }, "10445cf0-0748-11ef-ba75-f661ea17fbcc": { - "min_stack_version": "8.9", "rule_name": "AWS IAM Login Profile Added to User", "sha256": "aa8a7eac601e73065c58f11ee43537d79be77a14b5a766d34772f5b1cc74c2e9", "type": "query", @@ -643,53 +484,30 @@ "version": 100 }, "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f": { - "min_stack_version": "8.7", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "WebProxy Settings Modification", - "sha256": "6a6fc5b28bc33810532d1d7a900fbf07ff13f612317d5e8518f9b19104567c0a", - "type": "query", - "version": 106 - } - }, "rule_name": "WebProxy Settings Modification", "sha256": "aea77c71f5a15f5ba810f2f316aef50e4fa6948ad6b4e6b1c77449fd584157af", "type": "query", "version": 206 }, "11013227-0301-4a8c-b150-4db924484475": { - "min_stack_version": "8.3", "rule_name": "Abnormally Large DNS Response", "sha256": "a8cf0f414de9d2716b4dbf0198d541bf88a0777aefe1be83c09fc6f472d86721", "type": "query", "version": 105 }, "1160dcdb-0a0a-4a79-91d8-9b84616edebd": { - "min_stack_version": "8.3", "rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs", "sha256": "47fb83a4f1705416ad0ba2cf6d42e319617bf0e145a68f21652116832e770309", "type": "eql", "version": 110 }, "1178ae09-5aff-460a-9f2f-455cd0ac4d8e": { - "min_stack_version": "8.3", "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", "sha256": "94905ad569d414ab1a3c0037dcdb641498c790debb11ceeea8d3354c9b7acd76", "type": "eql", "version": 111 }, "119c8877-8613-416d-a98a-96b6664ee73a": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS RDS Snapshot Export", - "sha256": "d7c79adde1bf89e2a7544eec2729c0b5c45c62fdcdd5f00090d28e5cb73f6da7", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS RDS Snapshot Export", "sha256": "a00e77547551b6a8212c1d2b2c97be59f34bacf51a65366e59724bb0f5d3060c", "type": "query", @@ -702,30 +520,18 @@ "version": 100 }, "11dd9713-0ec6-4110-9707-32daae1ee68c": { - "min_stack_version": "8.3", "rule_name": "PowerShell Script with Token Impersonation Capabilities", "sha256": "049b0cbfdd71a4ec9ecdce8350842eb7d32d60c45681f6342878de029adf212a", "type": "query", "version": 11 }, "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { - "min_stack_version": "8.3", "rule_name": "Third-party Backup Files Deleted via Unexpected Process", "sha256": "c0a79cd64ff9bae3ad1545d8a18809dd34644d93ed177bd5f4586a2bb2cb4dba", "type": "eql", "version": 112 }, "12051077-0124-4394-9522-8f4f4db1d674": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS Route 53 Domain Transfer Lock Disabled", - "sha256": "845e16fdf9dd59a0ee37658ad41a83a6149e5487422dac763de90cde6aad227f", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS Route 53 Domain Transfer Lock Disabled", "sha256": "15feead7d77394bd6bf71dd30d81329b1fbca72fbffc872a6f07f0b3a696b0d7", "type": "query", @@ -738,7 +544,6 @@ "version": 100 }, "1224da6c-0326-4b4f-8454-68cdc5ae542b": { - "min_stack_version": "8.9", "rule_name": "Suspicious Windows Process Cluster Spawned by a User", "sha256": "37bda4461229741fa959b9d762f3bf17c0d03378734fbc1a04cbe4563675bea6", "type": "machine_learning", @@ -751,83 +556,48 @@ "version": 100 }, "128468bf-cab1-4637-99ea-fdf3780a4609": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 104, - "rule_name": "Suspicious Lsass Process Access", - "sha256": "c30f6e62697cdaf210db4d6f79d2686bc91e4427ee7bbaea3468482a88373d5c", - "type": "eql", - "version": 5 - } - }, "rule_name": "Suspicious Lsass Process Access", "sha256": "5c2585fe5a2a7819a271da84ecd01be9aae6dd102b4b648aba3170d710547554", "type": "eql", "version": 107 }, "12a2f15d-597e-4334-88ff-38a02cb1330b": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 199, - "rule_name": "Kubernetes Suspicious Self-Subject Review", - "sha256": "658882e3d31e0988978c24743e8f15fb3423fde5b395cbfc75a641548a291359", - "type": "query", - "version": 101 - } - }, "rule_name": "Kubernetes Suspicious Self-Subject Review", "sha256": "88110d27337692c0a9c75ea40f6f8f7a3d14cb6e22a5864992d0ca94879b45ec", "type": "query", "version": 203 }, "12cbf709-69e8-4055-94f9-24314385c27e": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 199, - "rule_name": "Kubernetes Pod Created With HostNetwork", - "sha256": "00e261301692eeb8bc7453cbea5c4605ca9c6d2ae38199b35ad83ffd4a9d0c4b", - "type": "query", - "version": 101 - } - }, "rule_name": "Kubernetes Pod Created With HostNetwork", "sha256": "e48fb5d94222f67fbea19233c7fea01163d00908c3844df80f9e36d5e87ad7b7", "type": "query", "version": 203 }, "12de29d4-bbb0-4eef-b687-857e8a163870": { - "min_stack_version": "8.3", "rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability", "sha256": "cfc3f15827b9bb563753aa681d0ca6558f43be24b76a68468ff0df98e1f80d7a", "type": "eql", "version": 3 }, "12f07955-1674-44f7-86b5-c35da0a6f41a": { - "min_stack_version": "8.3", "rule_name": "Suspicious Cmd Execution via WMI", "sha256": "07748a896518875c7361a26af5beac29e29097fd6ec0285208e2e88d7df4a538", "type": "eql", "version": 111 }, "1327384f-00f3-44d5-9a8c-2373ba071e92": { - "min_stack_version": "8.3", "rule_name": "Persistence via Scheduled Job Creation", "sha256": "614d79b1b8057b2eb0a33fea72890f4c745a48ab6092bb1919f7a503d2de9471", "type": "eql", "version": 108 }, "138c5dd5-838b-446e-b1ac-c995c7f8108a": { - "min_stack_version": "8.3", "rule_name": "Rare User Logon", "sha256": "84ad771aac0fd0883efd7525692d964e0f85a436752431c84b7dc4e012b05679", "type": "machine_learning", "version": 104 }, "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": { - "min_stack_version": "8.3", "rule_name": "Potential Ransomware Behavior - High count of Readme files by System", "sha256": "c119669a028d3ccf727586836356bcd2113986db9358089ed57907330b748a73", "type": "threshold", @@ -840,137 +610,102 @@ "version": 100 }, "13e908b9-7bf0-4235-abc9-b5deb500d0ad": { - "min_stack_version": "8.9", "rule_name": "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity", "sha256": "e4aac0fcc25bbc7121134faf7852704142d562d2c72bf9973c69b0dfd8d6046c", "type": "eql", "version": 4 }, "141e9b3a-ff37-4756-989d-05d7cbf35b0e": { - "min_stack_version": "8.3", "rule_name": "Azure External Guest User Invitation", "sha256": "c606c9477a2fa88e6a1b70468ffa95df50528629745068026ef6c9758caadaf1", "type": "query", "version": 102 }, "143cb236-0956-4f42-a706-814bcaa0cf5a": { - "min_stack_version": "8.3", "rule_name": "RPC (Remote Procedure Call) from the Internet", "sha256": "9b392ee77e47d008944419960e03112af84f3ccc7b043af0c2d16d636e610214", "type": "query", "version": 103 }, "14dab405-5dd9-450c-8106-72951af2391f": { - "min_stack_version": "8.3", "rule_name": "Office Test Registry Persistence", "sha256": "b2c192b0f4c41a2de5c1f96b495002c57338a58a1e385275e8ea17208673bda2", "type": "eql", "version": 3 }, "14de811c-d60f-11ec-9fd7-f661ea17fbce": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 199, - "rule_name": "Kubernetes User Exec into Pod", - "sha256": "3d39cfe20aef41ad7da949c25c18b33868177276c2c4ee9af234be4282e68392", - "type": "query", - "version": 101 - } - }, "rule_name": "Kubernetes User Exec into Pod", "sha256": "2e20c515d2b1304091833efa5d5f19b38c4f1eaa4f2a5b3cdee64f89ed7bf4a9", "type": "query", "version": 203 }, "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": { - "min_stack_version": "8.3", "rule_name": "Potential Persistence via Time Provider Modification", "sha256": "d3adc721588e0ae5b24bc4f24e2615b84100397158efd20f6fa50212746fb697", "type": "eql", "version": 109 }, "1542fa53-955e-4330-8e4d-b2d812adeb5f": { - "min_stack_version": "8.3", "rule_name": "Execution from a Removable Media with Network Connection", "sha256": "08e49b310aebe20ea4da9f40fb9ce90e74aecdd6f957b972419ec258f95a26b4", "type": "eql", "version": 3 }, "15a8ba77-1c13-4274-88fe-6bd14133861e": { - "min_stack_version": "8.3", "rule_name": "Scheduled Task Execution at Scale via GPO", "sha256": "6bc3367c8bea5ce3680aa60ee8341e332dc12fe82786393e1b98fa8130a817c4", "type": "query", "version": 110 }, "15c0b7a7-9c34-4869-b25b-fa6518414899": { - "min_stack_version": "8.3", "rule_name": "Remote File Download via Desktopimgdownldr Utility", "sha256": "f31b60069f41b2547dfb226805c62256ec852c2b5ec5014524230d20ca42a646", "type": "eql", "version": 112 }, "15dacaa0-5b90-466b-acab-63435a59701a": { - "min_stack_version": "8.3", "rule_name": "Virtual Private Network Connection Attempt", "sha256": "52e3e7aa2ff5aaa21a773c0bc30319fdc45efdaaba99697504cbe1d2d2fd12a0", "type": "eql", "version": 107 }, "160896de-b66f-42cb-8fef-20f53a9006ea": { - "min_stack_version": "8.8", "rule_name": "Potential Container Escape via Modified release_agent File", "sha256": "198ac6af38569c23460312f45acfeb0bb1489a5761ed5536c026e9b6f8154ac3", "type": "eql", "version": 1 }, "16280f1e-57e6-4242-aa21-bb4d16f13b2f": { - "min_stack_version": "8.3", "rule_name": "Azure Automation Runbook Created or Modified", "sha256": "d63660127e37638852d3943a3f02745a9d7ecf28ffba3fd3d314558d66fa3633", "type": "query", "version": 102 }, "166727ab-6768-4e26-b80c-948b228ffc06": { - "min_stack_version": "8.3", "rule_name": "File Creation Time Changed", "sha256": "97689ef71b5c442a2f7ab44c32a163607b4189beb06ee6d37b4563b34ddedd0c", "type": "eql", "version": 5 }, "16904215-2c95-4ac8-bf5c-12354e047192": { - "min_stack_version": "8.3", "rule_name": "Potential Kerberos Attack via Bifrost", "sha256": "a410bedff2a62e53036e60647e7db0a18a0cc64c1bb6e0f0e225395665a9be6d", "type": "query", "version": 106 }, "169f3a93-efc7-4df2-94d6-0d9438c310d1": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS IAM Group Creation", - "sha256": "b742e26488a024ca917c76ed8b6d78e38bceaf88b12ac5a184cba21816858e5c", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS IAM Group Creation", "sha256": "4620f71e7445e4762398530b8020b93c31a36073051ab2f0820f982f55d43df1", "type": "query", "version": 206 }, "16a52c14-7883-47af-8745-9357803f0d4c": { - "min_stack_version": "8.3", "rule_name": "Component Object Model Hijacking", "sha256": "0895ba08cf37c96cf8d9fa25aa47f21883cbb621246244853ae74168e9818f08", "type": "eql", "version": 113 }, "16fac1a1-21ee-4ca6-b720-458e3855d046": { - "min_stack_version": "8.3", "rule_name": "Startup/Logon Script added to Group Policy Object", "sha256": "59d27ffb2150faa1ebe4b4b332f29ed9b1a561166aa568c6b699a55de0aec81f", "type": "query", @@ -984,63 +719,54 @@ "version": 1 }, "1781d055-5c66-4adf-9c59-fc0fa58336a5": { - "min_stack_version": "8.3", "rule_name": "Unusual Windows Username", "sha256": "3f017bebc4cd49b96144c2c37d613353b9c74438bb528240c830a99a32537120", "type": "machine_learning", "version": 104 }, "1781d055-5c66-4adf-9c71-fc0fa58338c7": { - "min_stack_version": "8.3", "rule_name": "Unusual Windows Service", "sha256": "89e1fd74a24609ea12f4b8735c03de06e82fa5940400ce7cc3860d473e9f9b9a", "type": "machine_learning", "version": 103 }, "1781d055-5c66-4adf-9d60-fc0fa58337b6": { - "min_stack_version": "8.3", "rule_name": "Suspicious Powershell Script", "sha256": "c3d4419ad9b4d398652f573451d61439143854032c964a86b28b44f63627d3d3", "type": "machine_learning", "version": 104 }, "1781d055-5c66-4adf-9d82-fc0fa58449c8": { - "min_stack_version": "8.3", "rule_name": "Unusual Windows User Privilege Elevation Activity", "sha256": "3e378c975b7684d44d468c1b90b70fd66198d70f52b1af31c2d9877e6e01cda5", "type": "machine_learning", "version": 103 }, "1781d055-5c66-4adf-9e93-fc0fa69550c9": { - "min_stack_version": "8.3", "rule_name": "Unusual Windows Remote User", "sha256": "83958e6d3f7ccbbbba3e4f0796b176f124604f15277f14ce33c142029d6c8ff9", "type": "machine_learning", "version": 103 }, "17b0a495-4d9f-414c-8ad0-92f018b8e001": { - "min_stack_version": "8.6", "rule_name": "New Systemd Service Created by Previously Unknown Process", "sha256": "a5967e9202be0f4e0df4d0f82dfd5f067e8bc9eea60585cbc5664b744761966d", "type": "new_terms", "version": 9 }, "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { - "min_stack_version": "8.3", "rule_name": "Renamed Utility Executed with Short Program Name", "sha256": "23f4030c21a08bb1eb019a328b8fe62aeea2683957f343f0399abdff84347b22", "type": "eql", "version": 109 }, "17e68559-b274-4948-ad0b-f8415bb31126": { - "min_stack_version": "8.3", "rule_name": "Unusual Network Destination Domain Name", "sha256": "d0d9eef72ecbbb7af63f2aa522abc13a4cba650dd6da7a17c6b37218c39c1fb8", "type": "machine_learning", "version": 103 }, "184dfe52-2999-42d9-b9d1-d1ca54495a61": { - "min_stack_version": "8.3", "rule_name": "GCP Logging Sink Modification", "sha256": "f831f5412e30676ce24c068dcaf3521ab6be818cb202bca3625fb0f61ea6c3b2", "type": "query", @@ -1053,169 +779,114 @@ "version": 100 }, "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": { - "min_stack_version": "8.9", "rule_name": "Spike in Number of Connections Made to a Destination IP", "sha256": "3e6623fdaad77b45863a2c6f198c7624d4b02fa0f1934011776802944a3348fb", "type": "machine_learning", "version": 3 }, "193549e8-bb9e-466a-a7f9-7e783f5cb5a6": { - "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via Recently Compiled Executable", "sha256": "1fd050c07f8fd38281dde31dc1bba3256181b411f576fcaa07b6ff077393de1f", "type": "eql", "version": 4 }, "19de8096-e2b0-4bd8-80c9-34a820813fff": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "Rare AWS Error Code", - "sha256": "36fb7f357ab4c1d87f38a2a9f453fb1093c959582b23dda8d3071db185b7d65d", - "type": "machine_learning", - "version": 108 - } - }, "rule_name": "Rare AWS Error Code", "sha256": "45da42408e9e47f7550b2ff787fd33fe211dc4d0c4ccbfd9342ae768d88384ec", "type": "machine_learning", "version": 208 }, "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": { - "min_stack_version": "8.9", "rule_name": "Spike in Number of Processes in an RDP Session", "sha256": "fc1329361d122f9fce2eca535c54dd0b8a1fee4f8d33775b225227e2d4084002", "type": "machine_learning", "version": 3 }, "1a289854-5b78-49fe-9440-8a8096b1ab50": { - "min_stack_version": "8.8", "rule_name": "Suspicious Network Tool Launched Inside A Container", "sha256": "e456a59a32e02e71884dee04e925140b321a34650d49651cf7216610213066fc", "type": "eql", "version": 2 }, "1a36cace-11a7-43a8-9a10-b497c5a02cd3": { - "min_stack_version": "8.3", "rule_name": "Azure Application Credential Modification", "sha256": "e08f14b9002ce52664d169dc98fd7a2d3fd3dd0e24933ce44ec2f0cc93f14b7a", "type": "query", "version": 102 }, "1a6075b0-7479-450e-8fe7-b8b8438ac570": { - "min_stack_version": "8.3", "rule_name": "Execution of COM object via Xwizard", "sha256": "069735bb9cd4e472acbdcba371bd44bb50df1f225267d294773ac746e8ecc9e5", "type": "eql", "version": 109 }, "1aa8fa52-44a7-4dae-b058-f3333b91c8d7": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "AWS CloudTrail Log Suspended", - "sha256": "e728282d89ab6116e74d508a075da4f9a1388ba2da235fd87605b4ad580312f0", - "type": "query", - "version": 108 - } - }, "rule_name": "AWS CloudTrail Log Suspended", "sha256": "79a7a700b91ee492ba34e1584212dbac2ee5766b96b03f09c67c80be60c7726b", "type": "query", "version": 209 }, "1aa9181a-492b-4c01-8b16-fa0735786b2b": { - "min_stack_version": "8.3", "rule_name": "User Account Creation", "sha256": "96534addae6874564d720b53fb0d2b7f621702dd58f3fdebb1d3c69a80f55abb", "type": "eql", "version": 109 }, "1b0b4818-5655-409b-9c73-341cac4bb73f": { - "min_stack_version": "8.4", "rule_name": "Process Created with a Duplicated Token", "sha256": "8a3f85e624e03fc489be5ae5c3c3392fc053e5e5eed530158a04ccdf5754e802", "type": "eql", "version": 3 }, "1b21abcc-4d9f-4b08-a7f5-316f5f94b973": { - "min_stack_version": "8.3", "rule_name": "Connection to Internal Network via Telnet", "sha256": "803c07bf24bc75956c52cc55234f63d9d5a1f1212b218d05190d23eb47d81f2e", "type": "eql", "version": 107 }, "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS ElastiCache Security Group Modified or Deleted", - "sha256": "bcef75f6d49bb03184f9398613ed080bc7bd2279da99afaa50ba68d3a99f3b4c", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS ElastiCache Security Group Modified or Deleted", "sha256": "4ec77baf3f125b101b58f9cdec2c125de10cdb0a80f5c9112906dc0be6b3480d", "type": "query", "version": 206 }, "1c27fa22-7727-4dd3-81c0-de6da5555feb": { - "min_stack_version": "8.3", "rule_name": "Potential Internal Linux SSH Brute Force Detected", "sha256": "346faa48fc37e53ed0faaaa6a2bee5597d92a0306565cfad61329c29b22f7516", "type": "eql", "version": 11 }, "1c5a04ae-d034-41bf-b0d8-96439b5cc774": { - "min_stack_version": "8.3", "rule_name": "Potential Process Injection from Malicious Document", "sha256": "cf0f3605f0acb1cc600d240d90683e7996a55174af3ca9f770db65371eb95bc1", "type": "eql", "version": 2 }, "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 211, - "rule_name": "Possible Consent Grant Attack via Azure-Registered Application", - "sha256": "bf4b6f557cbd3c0c009d3f0aa39401b563a920b2ed64f0d20ef86c9a95fc5e45", - "type": "query", - "version": 112 - } - }, "rule_name": "Possible Consent Grant Attack via Azure-Registered Application", "sha256": "483537ca1f0a318f54568c093b78b5eca0658c9ceb0ab3daeed48949bb0e18c7", "type": "query", "version": 212 }, "1c84dd64-7e6c-4bad-ac73-a5014ee37042": { - "min_stack_version": "8.3", "rule_name": "Suspicious File Creation in /etc for Persistence", "sha256": "dde38b44453671943b7ae6cb4d6fef20e85307ac3723a158fe57ee96d8b1f29d", "type": "eql", "version": 113 }, "1c966416-60c1-436b-bfd0-e002fddbfd89": { - "min_stack_version": "8.3", "rule_name": "Azure Kubernetes Rolebindings Created", "sha256": "d86625ab5e731436d6846810c232431aafe71ea4ce7684c0f5ad7b03709bb6ce", "type": "query", "version": 102 }, "1ca62f14-4787-4913-b7af-df11745a49da": { - "min_stack_version": "8.3", "rule_name": "New GitHub App Installed", "sha256": "02e98cecd6d72a19ba1f1961d35d14774632ecb42f89c7fc7f1e162b60bc89fe", "type": "eql", "version": 1 }, "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { - "min_stack_version": "8.3", "rule_name": "Incoming Execution via WinRM Remote Shell", "sha256": "c2dcf9dc41b1c7835b791709f6bae17ad8765e7d39f7ab93d95f5368f5330f3a", "type": "eql", @@ -1229,49 +900,42 @@ "version": 2 }, "1d276579-3380-4095-ad38-e596a01bc64f": { - "min_stack_version": "8.3", "rule_name": "Remote File Download via Script Interpreter", "sha256": "3afe36281fd5b755b076bbb9801c4924e40bd5ea64954a50fc5bc408c7ddabed", "type": "eql", "version": 110 }, "1d72d014-e2ab-4707-b056-9b96abe7b511": { - "min_stack_version": "8.3", "rule_name": "External IP Lookup from Non-Browser Process", "sha256": "912ddc841c0eace4d5cc31a814d86a6177d5f51e6038d37bde4b9ed37ee62433", "type": "eql", "version": 108 }, "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": { - "min_stack_version": "8.3", "rule_name": "PowerShell Script with Encryption/Decryption Capabilities", "sha256": "56bbf0cae42f67fdd41f149363a1891554948e2dbd182c1e0c9fed1a39f36100", "type": "query", "version": 6 }, "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { - "min_stack_version": "8.3", "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", "sha256": "b09a3222c4eab9324474c30ec5eddb3cd13c0f86e3b9776fc690aa77d8fe9e9d", "type": "eql", "version": 109 }, "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": { - "min_stack_version": "8.4", "rule_name": "Suspicious Inter-Process Communication via Outlook", "sha256": "eb4c56089e3f5a64944ea09016b315e24d78a78381989d1d29939502318b82f1", "type": "eql", "version": 6 }, "1defdd62-cd8d-426e-a246-81a37751bb2b": { - "min_stack_version": "8.3", "rule_name": "Execution of File Written or Modified by PDF Reader", "sha256": "b1632c3ea7afb58a44d388ad05920751d22614d6714b65ffeb29af66d7ebf70d", "type": "eql", "version": 108 }, "1df1152b-610a-4f48-9d7a-504f6ee5d9da": { - "min_stack_version": "8.3", "rule_name": "Potential Linux Hack Tool Launched", "sha256": "d83c19a46e9401aef5cd62ba06786de63e0ea6448479965630475a6b00667731", "type": "eql", @@ -1280,7 +944,7 @@ "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": { "min_stack_version": "8.12", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 105, "rule_name": "PowerShell Script with Discovery Capabilities", "sha256": "f190de5af14bbb60e793a9add72d0cf2b89e9a8fd2f593c098664a50360aaf06", @@ -1294,107 +958,84 @@ "version": 107 }, "1e0b832e-957e-43ae-b319-db82d228c908": { - "min_stack_version": "8.3", "rule_name": "Azure Storage Account Key Regenerated", "sha256": "49bb6b71d6e597de0157a424d93fdb4690ae7ad2586b8d725a627878c02edc1e", "type": "query", "version": 102 }, "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc": { - "min_stack_version": "8.3", "rule_name": "Creation of a DNS-Named Record", "sha256": "9b97868151d1bdb1c5754a996d30cf988232f389c492b7f9132402adae176f75", "type": "eql", "version": 1 }, "1e6363a6-3af5-41d4-b7ea-d475389c0ceb": { - "min_stack_version": "8.3", "rule_name": "Creation of SettingContent-ms Files", "sha256": "411958937e7a1d399c000c3ee9bc6e256d0b92a5aea3474e468b84f5991e8bed", "type": "eql", "version": 3 }, "1e9b271c-8caa-4e20-aed8-e91e34de9283": { - "min_stack_version": "8.8", "rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)", "sha256": "c4f772b100c3877e71a485342787e5f29775002ef02710d07bffd3db397230d0", "type": "new_terms", "version": 1 }, "1e9fc667-9ff1-4b33-9f40-fefca8537eb0": { - "min_stack_version": "8.3", "rule_name": "Unusual Sudo Activity", "sha256": "aad0990989bfa63d159c45b28e23cec25bcdd6cb4054ad31584f085b1e38568c", "type": "machine_learning", "version": 103 }, "1f0a69c0-3392-4adf-b7d5-6012fd292da8": { - "min_stack_version": "8.3", "rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell", "sha256": "dac35e0c6992ca7c37e472c37d77eaf0c2e9f17c74efd5f6531194cc4a769762", "type": "query", "version": 8 }, "1f460f12-a3cf-4105-9ebb-f788cc63f365": { - "min_stack_version": "8.3", "rule_name": "Unusual Process Execution on WBEM Path", "sha256": "3e850845c9653b3956dd9ccfe15415b8f6399a899dd58c87a592f2ae81b921de", "type": "eql", "version": 2 }, "1faec04b-d902-4f89-8aff-92cd9043c16f": { - "min_stack_version": "8.3", "rule_name": "Unusual Linux User Calling the Metadata Service", "sha256": "8eb47dead708d739318e797d2fac9c942978cd80eca1354c0063c15ff502adb9", "type": "machine_learning", "version": 103 }, "1fe3b299-fbb5-4657-a937-1d746f2c711a": { - "min_stack_version": "8.3", "rule_name": "Unusual Network Activity from a Windows System Binary", "sha256": "276423364d5b8bf0affee9f5efd056cba314fa27ef1d574a4ebe6f5b4e0e542e", "type": "eql", "version": 111 }, "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": { - "min_stack_version": "8.3", "rule_name": "Exploit - Detected - Elastic Endgame", "sha256": "fc5bc7344b50468b39f14fc82c958267c265618e2278cadaecafa7a7f1dab9a2", "type": "query", "version": 103 }, "201200f1-a99b-43fb-88ed-f65a45c4972c": { - "min_stack_version": "8.3", "rule_name": "Suspicious .NET Code Compilation", "sha256": "5fd6637d01d25848657a37779415e23778a84ee81a913351ee2bbb54701fe88a", "type": "eql", "version": 110 }, "202829f6-0271-4e88-b882-11a655c590d4": { - "min_stack_version": "8.3", "rule_name": "Executable Masquerading as Kernel Process", "sha256": "fa7e58294659262a26ba947cc59044854477a5a49edc98f0d6f896d91e1d9f6d", "type": "eql", "version": 2 }, "203ab79b-239b-4aa5-8e54-fc50623ee8e4": { - "min_stack_version": "8.3", "rule_name": "Creation or Modification of Root Certificate", "sha256": "a137b8929c8afb05318cec2dac421d5e03d1bba700cb7978151e0429bb7a6e53", "type": "eql", "version": 110 }, "2045567e-b0af-444a-8c0b-0b6e2dae9e13": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS Route 53 Domain Transferred to Another Account", - "sha256": "cd100d12464b46b1f170d8e6b26ed144023ba52b4077a97354a6a9fcbabf7465", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS Route 53 Domain Transferred to Another Account", "sha256": "140169be7f1e330d6e6068d329d4de47c02db8df773930e4ae57f7e5f36c9297", "type": "query", @@ -1403,7 +1044,7 @@ "20457e4f-d1de-4b92-ae69-142e27a4342a": { "min_stack_version": "8.11", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 206, "rule_name": "Access of Stored Browser Credentials", "sha256": "2096c9935d4a0209a44ab553fb8f3453c10cb834b1b2665a96e6f2852635d563", @@ -1417,14 +1058,12 @@ "version": 207 }, "205b52c4-9c28-4af4-8979-935f3278d61a": { - "min_stack_version": "8.3", "rule_name": "Werfault ReflectDebugger Persistence", "sha256": "b892d4534c1a5905601ccc529ccaedbf3f944ac4e46b8475f4ac04d2752af982", "type": "eql", "version": 2 }, "208dbe77-01ed-4954-8d44-1e5751cb20de": { - "min_stack_version": "8.3", "rule_name": "LSASS Memory Dump Handle Access", "sha256": "407aa36a170976cc90021ba2e2b10b9d211b7142cb685d4fcdede10a65073287", "type": "eql", @@ -1437,137 +1076,102 @@ "version": 100 }, "210d4430-b371-470e-b879-80b7182aa75e": { - "min_stack_version": "8.3", "rule_name": "Mofcomp Activity", "sha256": "a7bd50e06e9eecee6eb4de339db9e9e7ffc5b08ce32a9bc2a119b2aa4f2fdf45", "type": "eql", "version": 2 }, "2138bb70-5a5e-42fd-be5e-b38edf6a6777": { - "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Child", "sha256": "cda609fdc97eb250f4f9c03ad3abf9c6760ae78ab03cc3f8fad23789f6ca8ade", "type": "eql", "version": 2 }, "21bafdf0-cf17-11ed-bd57-f661ea17fbcc": { - "min_stack_version": "8.4", "rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application", "sha256": "8b83d7d20910ac09b5cd9f7b2e96a38f9b03f38f314ecf1f779637906818161b", "type": "new_terms", "version": 3 }, "220be143-5c67-4fdb-b6ce-dd6826d024fd": { - "min_stack_version": "8.3", "rule_name": "Full User-Mode Dumps Enabled System-Wide", "sha256": "9252233dd00ddb80533d2b70ccda0987fc97cab21f4fe935dcb0806e07dc9354", "type": "eql", "version": 7 }, "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 203, - "rule_name": "SSH Authorized Keys File Modification", - "sha256": "8e07f35dbd0f747e519638ad9464ab2502ac2d84b6db85f092155081cf57f23c", - "type": "query", - "version": 104 - } - }, "rule_name": "SSH Authorized Keys File Modification", "sha256": "093ec92b83608b188904a800b2dc5dc20b93d5e0b11e10e6da27f754f44a18e0", "type": "new_terms", "version": 205 }, "22599847-5d13-48cb-8872-5796fee8692b": { - "min_stack_version": "8.3", "rule_name": "SUNBURST Command and Control Activity", "sha256": "28c3a8e43a93472d905579b46b496842487fb7c462bf01bdbde7cdc16361b2e7", "type": "eql", "version": 108 }, "227dc608-e558-43d9-b521-150772250bae": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "AWS S3 Bucket Configuration Deletion", - "sha256": "ad8600664f0e0704b136c9959aec90beb90d433fd1457d49adc4e920ad882f17", - "type": "query", - "version": 106 - } - }, "rule_name": "AWS S3 Bucket Configuration Deletion", "sha256": "c893799e9c59f2c1403b0350b301a705c63a0d1c86f201f9b1effafd647a7629", "type": "query", "version": 207 }, "231876e7-4d1f-4d63-a47c-47dd1acdc1cb": { - "min_stack_version": "8.3", "rule_name": "Potential Shell via Web Server", "sha256": "95829ac14cae4f4c82e003be08372f6c44edc266c796409e6971824d0be747f1", "type": "query", "version": 105 }, "2326d1b2-9acf-4dee-bd21-867ea7378b4d": { - "min_stack_version": "8.3", "rule_name": "GCP Storage Bucket Permissions Modification", "sha256": "278f8d56c3932a208c4873795aa99690d1d05550d1e099c6fcdb6f6fca729604", "type": "query", "version": 104 }, "2339f03c-f53f-40fa-834b-40c5983fc41f": { - "min_stack_version": "8.3", "rule_name": "Kernel Module Load via insmod", "sha256": "3327b2f3c9c739028f181cd20b7cf3e768c7eae5f4363b478ef982fee21b8eb2", "type": "eql", "version": 109 }, "2377946d-0f01-4957-8812-6878985f515d": { - "min_stack_version": "8.9", "rule_name": "Deprecated - Remote File Creation on a Sensitive Directory", "sha256": "6a0b13ec054468e1055fdcc971c3fbc84f6f9054c828eca4d3c0fa648b9c5fb4", "type": "eql", "version": 2 }, "23bcd283-2bc0-4db2-81d4-273fc051e5c0": { - "min_stack_version": "8.6", "rule_name": "Unknown Execution of Binary with RWX Memory Region", "sha256": "b160874aab9501cba7d0344a3fcb2181a25f3d7a5067a23804bc3f8abb705dd1", "type": "new_terms", "version": 1 }, "24401eca-ad0b-4ff9-9431-487a8e183af9": { - "min_stack_version": "8.3", "rule_name": "New GitHub Owner Added", "sha256": "30fc492bcc0364696d21c281124ec1d963222a387430bd66f8db31b80df23764", "type": "eql", "version": 3 }, "25224a80-5a4a-4b8a-991e-6ab390465c4f": { - "min_stack_version": "8.3", "rule_name": "Lateral Movement via Startup Folder", "sha256": "dcf5239bdf937bd790a721fc5c7fceea3af8c5377ce0b466359a5ebb23a57ed6", "type": "eql", "version": 108 }, "2553a9af-52a4-4a05-bb03-85b2a479a0a0": { - "min_stack_version": "8.3", "rule_name": "Potential PowerShell HackTool Script by Author", "sha256": "cbf8a4fc5c8f2ee86365483602e84f800fbd791c3e29fe467f20a6333d47dfc3", "type": "query", "version": 1 }, "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": { - "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Background Process", "sha256": "0ffb76c84bbd4407b32cb3cde060faa39ff1aca7f3f59d031d45d7e449cb74d5", "type": "eql", "version": 4 }, "25d917c4-aa3c-4111-974c-286c0312ff95": { - "min_stack_version": "8.6", "rule_name": "Network Activity Detected via Kworker", "sha256": "6169ab76be1ab1b6d165bc6e91e309957523da07f42cfa74c0b2eabc0fff457b", "type": "new_terms", @@ -1581,51 +1185,36 @@ "version": 1 }, "2605aa59-29ac-4662-afad-8d86257c7c91": { - "min_stack_version": "8.3", "rule_name": "Potential Suspicious DebugFS Root Device Access", "sha256": "412a8490a6178fe02adf3eb8d88b4b119d8af57a0e8583ca4a61a6504c554ab5", "type": "eql", "version": 5 }, "2636aa6c-88b5-4337-9c31-8d0192a8ef45": { - "min_stack_version": "8.3", "rule_name": "Azure Blob Container Access Level Modification", "sha256": "b8c9984ea50176ed7e98738246a92b5729623ecdef068b256bd5deae26c26534", "type": "query", "version": 102 }, "265db8f5-fc73-4d0d-b434-6483b56372e2": { - "min_stack_version": "8.3", "rule_name": "Persistence via Update Orchestrator Service Hijack", "sha256": "b97eb034c01d5415f2b4529e1b4aeacb6d1b5858e035d9f7b16071f08a107800", "type": "eql", "version": 111 }, "26b01043-4f04-4d2f-882a-5a1d2e95751b": { - "min_stack_version": "8.3", "rule_name": "Privileges Elevation via Parent Process PID Spoofing", "sha256": "fe01406a8aba7ef1783b900ebd444367f6c97053baf29469fd03f5fe099c7517", "type": "eql", "version": 7 }, "26edba02-6979-4bce-920a-70b080a7be81": { - "min_stack_version": "8.3", "rule_name": "Azure Active Directory High Risk User Sign-in Heuristic", "sha256": "81486e6269e07586e44c0e2e31d679dd20a6c335f856a8adad10143d41b7ada7", "type": "query", "version": 105 }, "26f68dba-ce29-497b-8e13-b4fde1db5a2d": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 206, - "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", - "sha256": "ab30e15051fb603800f933ba9b3f6539ac75a662fd2dfcbe66c8f7121c7608a9", - "type": "threshold", - "version": 107 - } - }, "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", "sha256": "a8e968ab16236593316417aca2763610f442cfa6d00fe3c5a4a453085fc7f633", "type": "threshold", @@ -1634,7 +1223,7 @@ "27071ea3-e806-4697-8abc-e22c92aa4293": { "min_stack_version": "8.12", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 104, "rule_name": "PowerShell Script with Archive Compression Capabilities", "sha256": "e45eab95dfc89f02571c3f4a759eccf69d16d6b97a471c585cf0cea086acc29f", @@ -1648,60 +1237,36 @@ "version": 105 }, "2724808c-ba5d-48b2-86d2-0002103df753": { - "min_stack_version": "8.3", "rule_name": "Attempt to Clear Kernel Ring Buffer", "sha256": "b84e6128363d24d3503b13f1a618bc430f08140f5a82611c3c3e4f3a5271d2b5", "type": "eql", "version": 4 }, "272a6484-2663-46db-a532-ef734bf9a796": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft 365 Exchange Transport Rule Modification", - "sha256": "fbfde864c7e1f31e7fcfef374c9517e890a58223969f83a4c15fee6afb623353", - "type": "query", - "version": 106 - } - }, "rule_name": "Microsoft 365 Exchange Transport Rule Modification", "sha256": "4901f8288ffd58d58227242aedd0caaab898038617870ffef05e9c235a9a082e", "type": "query", "version": 206 }, "2772264c-6fb9-4d9d-9014-b416eed21254": { - "min_stack_version": "8.3", "rule_name": "Incoming Execution via PowerShell Remoting", "sha256": "115702bf56a63d8b0495b440b3bc5f48f161657df80ecb5dd778177cad8cf99b", "type": "eql", "version": 109 }, "2783d84f-5091-4d7d-9319-9fceda8fa71b": { - "min_stack_version": "8.3", "rule_name": "GCP Firewall Rule Modification", "sha256": "7f903b4ec5008e277d2c4f30f030c9063155c7624b7938ba5d57635458cfbbdf", "type": "query", "version": 104 }, "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft 365 Teams External Access Enabled", - "sha256": "94685626f0a0ed06951084baeb71eae9ec250c07e2ccd46be608e1f1321d5726", - "type": "query", - "version": 106 - } - }, "rule_name": "Microsoft 365 Teams External Access Enabled", "sha256": "0cb5f4c7faf103570f876bb43508577a2927c58a22ed1b35c609f2d195630f56", "type": "query", "version": 206 }, "2820c9c2-bcd7-4d6e-9eba-faf3891ba450": { - "min_stack_version": "8.3", "rule_name": "Account Password Reset Remotely", "sha256": "b3b4c980cf7d25e52dfb1d1cc53500ac0a87c2b13922dccaf6b9de0b389532e7", "type": "eql", @@ -1715,21 +1280,18 @@ "version": 1 }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { - "min_stack_version": "8.3", "rule_name": "Account Discovery Command via SYSTEM Account", "sha256": "7395e4f0038f91caff80f8f82fb7a573cc2e3be731008e546f8e2f2738da7397", "type": "eql", "version": 111 }, "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { - "min_stack_version": "8.3", "rule_name": "Exploit - Prevented - Elastic Endgame", "sha256": "72767580ec9592b48af7b23c8f44b94bf3c619c87d45496757413417e9238c4d", "type": "query", "version": 103 }, "28738f9f-7427-4d23-bc69-756708b5f624": { - "min_stack_version": "8.3", "rule_name": "Suspicious File Changes Activity Detected", "sha256": "a5b402b3a9e4d3ba808b853c5d78107f40d164ba390a347ef0ac078afaa5cc67", "type": "eql", @@ -1749,44 +1311,30 @@ "version": 2 }, "28d39238-0c01-420a-b77a-24e5a7378663": { - "min_stack_version": "8.3", "rule_name": "Sudo Command Enumeration Detected", "sha256": "70ed05b5053d1ac43542f1f8ffef64b0cfb2cb35c0a94eb8be86882438034320", "type": "eql", "version": 5 }, "28f6f34b-8e16-487a-b5fd-9d22eb903db8": { - "min_stack_version": "8.6", "rule_name": "Shell Configuration Modification", "sha256": "1082bfbb3e988caa2fc49527f3dcd4024a4657a591fb5edc4d08e2ba311ca62c", "type": "new_terms", "version": 1 }, "29052c19-ff3e-42fd-8363-7be14d7c5469": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS Security Group Configuration Change Detection", - "sha256": "6eafdfc2847d0f8150d36752200d76b3777de7dd46ac7d6c1dab97c2b6afaa67", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS Security Group Configuration Change Detection", "sha256": "193c2c66e45942d40a519ed5a0c174f69daf4d7c4057ce0af2cc77baa1e9658c", "type": "query", "version": 206 }, "290aca65-e94d-403b-ba0f-62f320e63f51": { - "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", "sha256": "f64dc97be4c992f52e4ecf99c9d964a2d99544bea2d8d33d80ba5e96d62d8f80", "type": "eql", "version": 112 }, "2917d495-59bd-4250-b395-c29409b76086": { - "min_stack_version": "8.3", "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", "sha256": "28ea0bbb12cf1c1a72a0c1b87a80fea6c5d0e587cd14d5b24db0b2b9550f5efc", "type": "eql", @@ -1795,14 +1343,7 @@ "291a0de9-937a-4189-94c0-3e847c8b13e4": { "min_stack_version": "8.12", "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "Enumeration of Privileged Local Groups Membership", - "sha256": "f1ce7be911b34a06915e3f07c41e6e91d314bf37dfb168fb109057d04b56b5c3", - "type": "eql", - "version": 108 - }, - "8.6": { + "8.9": { "max_allowable_version": 310, "rule_name": "Enumeration of Privileged Local Groups Membership", "sha256": "4d67c645c194c7be0ae57c04360e2e8d9a4af8927da4a2dd4f0696029148e26d", @@ -1823,148 +1364,96 @@ "version": 1 }, "29ef5686-9b93-433e-91b5-683911094698": { - "min_stack_version": "8.6", "rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line", "sha256": "18bae187efca3e9942f377e9508ca6f0266f122ab379929ab8d6a0d22dc4a342", "type": "new_terms", "version": 1 }, "29f0cf93-d17c-4b12-b4f3-a433800539fa": { - "min_stack_version": "8.3", "rule_name": "Potential Linux SSH X11 Forwarding", "sha256": "359e41830e4fd4bfc9775176917b335b3c9188c05a983a056b52e796d20b6fd7", "type": "eql", "version": 3 }, "2a692072-d78d-42f3-a48a-775677d79c4e": { - "min_stack_version": "8.3", "rule_name": "Potential Code Execution via Postgresql", "sha256": "8bfe7f061ea6409e5ec8657a58cc81d8fd705e930ef358d31347a1ee67035391", "type": "eql", "version": 6 }, "2abda169-416b-4bb3-9a6b-f8d239fd78ba": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 199, - "rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume", - "sha256": "bd95cc69164fae41e991e31ae5435c01f2785e2c361dafea62766db0b0f66a10", - "type": "query", - "version": 101 - } - }, "rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume", "sha256": "2704808ccae32f5b44395171db755258b7e7a248df4bab32a33cddb2ac181df0", "type": "query", "version": 203 }, "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": { - "min_stack_version": "8.5", "rule_name": "ESXI Discovery via Grep", "sha256": "7f6bc06878f5c089508b21b556ed4a227c059d655b54717af4863db317dd6504", "type": "eql", "version": 6 }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { - "min_stack_version": "8.3", "rule_name": "Adobe Hijack Persistence", "sha256": "8cf9629ff73512110d78ffdd80f59c0e6d033ca48831d47133dee6dd51cb185d", "type": "eql", "version": 111 }, "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { - "min_stack_version": "8.3", "rule_name": "Windows Defender Exclusions Added via PowerShell", "sha256": "df6ed2953eabd8c292df3200fc51dd9222b2c0c3fd5b9174f66efb61a28bcd5b", "type": "eql", "version": 110 }, "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": { - "min_stack_version": "8.3", "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", "sha256": "de455f667043e9cf42dd5fe4ac1a588f29bf04c9e5ac3c78bf84f5849ae48494", "type": "eql", "version": 109 }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 203, - "rule_name": "Enumeration of Kernel Modules", - "sha256": "b3bad6443210cec62c090d0872efcafedb7565ac5fed882aa46afab6073c4e08", - "type": "eql", - "version": 105 - } - }, "rule_name": "Enumeration of Kernel Modules", "sha256": "4f8354117b7013f27de2b6338d831ecebb494b5dd5dc310f3d36de2e9df3e46e", "type": "new_terms", "version": 209 }, "2dd480be-1263-4d9c-8672-172928f6789a": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "Suspicious Process Access via Direct System Call", - "sha256": "9aa09b7a6367bc4d21531ae1e5860ac4f0f89b9a2331c0c63032d8fa85c753e5", - "type": "eql", - "version": 108 - } - }, "rule_name": "Suspicious Process Access via Direct System Call", "sha256": "aaba8635a16d40c33ab3f1e45cdefdd5afa1682b6b46e0a9e59bb5714053e328", "type": "eql", "version": 211 }, "2ddc468e-b39b-4f5b-9825-f3dcb0e998ea": { - "min_stack_version": "8.3", "rule_name": "Potential SSH-IT SSH Worm Downloaded", "sha256": "b15d311e27e1605b59979cfacff8ed02534809f2ac3067c91d6f252b9c99532c", "type": "eql", "version": 3 }, "2de10e77-c144-4e69-afb7-344e7127abd0": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 206, - "rule_name": "O365 Excessive Single Sign-On Logon Errors", - "sha256": "6aafdc4d1c33f41d82f7a067cce68c407f9cc905aa5f0bcee8e8a3626f89a88e", - "type": "threshold", - "version": 107 - } - }, "rule_name": "O365 Excessive Single Sign-On Logon Errors", "sha256": "a6c2623e22edf439212d0065ea3329407e43fdc9756008e2a6cc39150c927f46", "type": "threshold", "version": 207 }, "2de87d72-ee0c-43e2-b975-5f0b029ac600": { - "min_stack_version": "8.3", "rule_name": "Wireless Credential Dumping using Netsh Command", "sha256": "469f29380de3612562dd52d96cf08b2590670a1f0ed5c09882c3caa6420fc78f", "type": "eql", "version": 8 }, "2e1e835d-01e5-48ca-b9fc-7a61f7f11902": { - "min_stack_version": "8.3", "rule_name": "Renamed AutoIt Scripts Interpreter", "sha256": "a23203b35000455d7e15f08f4aa4523ffb4cf37e6277c5ad2afff5dfb75f06d4", "type": "eql", "version": 110 }, "2e29e96a-b67c-455a-afe4-de6183431d0d": { - "min_stack_version": "8.3", "rule_name": "Potential Process Injection via PowerShell", "sha256": "81ff8ad3429868b3ae4e62b20cdf7861c5912ea5ea56a373eb053a9ba8cafb2d", "type": "query", "version": 110 }, "2e311539-cd88-4a85-a301-04f38795007c": { - "min_stack_version": "8.3", "rule_name": "Accessing Outlook Data Files", "sha256": "d2e5a15c87b68da8ded83c3f04fd1cc0b2f38a858d9d58825ea43aa5b4d13c9d", "type": "eql", @@ -1978,233 +1467,192 @@ "version": 1 }, "2e580225-2a58-48ef-938b-572933be06fe": { - "min_stack_version": "8.3", "rule_name": "Halfbaked Command and Control Beacon", "sha256": "67f17bb4543d663bbd223adf3ed78c7e8f5018d561d5600b0b835ed24d9a6174", "type": "query", "version": 104 }, "2edc8076-291e-41e9-81e4-e3fcbc97ae5e": { - "min_stack_version": "8.3", "rule_name": "Creation of a Hidden Local User Account", "sha256": "04e25e2a367da2d230efdd2c089caf2310ebc0b4555468d52654ae40cd73624f", "type": "eql", "version": 110 }, "2f0bae2d-bf20-4465-be86-1311addebaa3": { - "min_stack_version": "8.3", "rule_name": "GCP Kubernetes Rolebindings Created or Patched", "sha256": "bd0cfcd18ddea0b9730c52e91f2de67a9b343831ce2a5351233e44a328498830", "type": "query", "version": 101 }, "2f2f4939-0b34-40c2-a0a3-844eb7889f43": { - "min_stack_version": "8.3", "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", "sha256": "c854f417e250f05be348cb5bd38338d7abaf467dc4b5ab1ef0fd15c0fe00d652", "type": "query", "version": 110 }, "2f8a1226-5720-437d-9c20-e0029deb6194": { - "min_stack_version": "8.3", "rule_name": "Attempt to Disable Syslog Service", "sha256": "8780262dbf51119a57e1482fdc257e16b74e0e78063f08f70039f0e84bd8e10e", "type": "eql", "version": 109 }, "2f95540c-923e-4f57-9dae-de30169c68b9": { - "min_stack_version": "8.3", "rule_name": "Suspicious /proc/maps Discovery", "sha256": "ceb64517a4f38ec0b520e88bfd10c759040ae2fc573d8712c77889e56afddd93", "type": "eql", "version": 2 }, "2fba96c0-ade5-4bce-b92f-a5df2509da3f": { - "min_stack_version": "8.3", "rule_name": "Startup Folder Persistence via Unsigned Process", "sha256": "16889344ca9108bf590521debc5e7f4f79d260b86172b2f1df97f6014b9e5813", "type": "eql", "version": 109 }, "2ffa1f1e-b6db-47fa-994b-1512743847eb": { - "min_stack_version": "8.3", "rule_name": "Windows Defender Disabled via Registry Modification", "sha256": "c25dfc5c295e5fe0ef6c4bd03401308cc79d8069474d9a66e34a91f53a75d793", "type": "eql", "version": 111 }, "301571f3-b316-4969-8dd0-7917410030d3": { - "min_stack_version": "8.9", "rule_name": "Malicious Remote File Creation", "sha256": "3b64dae20a1caf09073534a22a7e22eb31c7ac6212a08748110048e1e2f0f2f0", "type": "eql", "version": 1 }, "30562697-9859-4ae0-a8c5-dab45d664170": { - "min_stack_version": "8.3", "rule_name": "GCP Firewall Rule Creation", "sha256": "bb0dfe6b9f2f4b9ceed60017b384a9ec5cdb5c52df95261b4b306681aa1f7a1e", "type": "query", "version": 104 }, "30bfddd7-2954-4c9d-bbc6-19a99ca47e23": { - "min_stack_version": "8.5", "rule_name": "ESXI Timestomping using Touch Command", "sha256": "3aded99ffea86675df0ab0f003bf86c0e5a794828e77b17812a3f979d0fb70ea", "type": "eql", "version": 8 }, "30e1e9f2-eb9c-439f-aff6-1e3068e99384": { - "min_stack_version": "8.3", "rule_name": "Suspicious Network Connection via Sudo Binary", "sha256": "7c7f71f10f08bbfa8f116046faf6e9487e82a654dc7c8ff4155bbb67fb267058", "type": "eql", "version": 2 }, "3115bd2c-0baa-4df0-80ea-45e474b5ef93": { - "min_stack_version": "8.3", "rule_name": "Agent Spoofing - Mismatched Agent ID", "sha256": "edb96a30a9a4b522b0f24c47e6c9e97132020bca3d111e9f0fb2478062ca5c46", "type": "query", "version": 101 }, "31295df3-277b-4c56-a1fb-84e31b4222a9": { - "min_stack_version": "8.3", "rule_name": "Inbound Connection to an Unsecure Elasticsearch Node", "sha256": "7aca9860d8b4e2d6a3c826f3c89aad15a3ccef60bdb18f3a6c0e5d9d5eb96446", "type": "query", "version": 104 }, "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { - "min_stack_version": "8.3", "rule_name": "Bypass UAC via Event Viewer", "sha256": "e6a2af9522e0e9af476dbdd8aacdf56e95e20a452abd93a0bbd42f622856b52c", "type": "eql", "version": 112 }, "3202e172-01b1-4738-a932-d024c514ba72": { - "min_stack_version": "8.3", "rule_name": "GCP Pub/Sub Topic Deletion", "sha256": "124b074b61fa892959b957078f6b0ce22d6fc14dfa12721b099e26e56784daa0", "type": "query", "version": 104 }, "32300431-c2d5-432d-8ec8-0e03f9924756": { - "min_stack_version": "8.6", "rule_name": "Network Connection from Binary with RWX Memory Region", "sha256": "2037bc6827adab74cd7f5d34cc9724885806f9d8b3ca6aad279ca53096b8b6f6", "type": "eql", "version": 1 }, "323cb487-279d-4218-bcbd-a568efe930c6": { - "min_stack_version": "8.3", "rule_name": "Azure Network Watcher Deletion", "sha256": "2639a17ce5e5d5cbfafd00c48a0d20d73a8f7fd26a389a962808a2d552c1cd1a", "type": "query", "version": 102 }, "32923416-763a-4531-bb35-f33b9232ecdb": { - "min_stack_version": "8.3", "rule_name": "RPC (Remote Procedure Call) to the Internet", "sha256": "7ca9c8daa861f8675fc6d90454ceb1fbbeb55621db753f0ffa615be1509581ea", "type": "query", "version": 103 }, "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { - "min_stack_version": "8.3", "rule_name": "Program Files Directory Masquerading", "sha256": "8cec03274c88dea9a86f4cc7af3af538103fe9b253736b1c5dd81848830076fa", "type": "eql", "version": 109 }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { - "min_stack_version": "8.3", "rule_name": "Suspicious MS Outlook Child Process", "sha256": "ab072081c0f447b8ae3f174016da6d44b3a3a21b5a3c6ca71506c4e0fd7246d3", "type": "eql", "version": 111 }, "333de828-8190-4cf5-8d7c-7575846f6fe0": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "AWS IAM User Addition to Group", - "sha256": "02db7a25c54c4fbd473ce6ca4a124bfeaba29b63ff68e2d89d4cd27167d6ae7d", - "type": "query", - "version": 108 - } - }, "rule_name": "AWS IAM User Addition to Group", "sha256": "5797f109e144dd874da2cd92796142c3e024058b0b7239fa006a719364423b46", "type": "query", "version": 209 }, "33a6752b-da5e-45f8-b13a-5f094c09522f": { - "min_stack_version": "8.5", "rule_name": "ESXI Discovery via Find", "sha256": "65285808d7e3a2abc4e4eafa9288e8e9c5d82f2dc7fd8f2cf160f7c224988f04", "type": "eql", "version": 6 }, "33f306e8-417c-411b-965c-c2812d6d3f4d": { - "min_stack_version": "8.3", "rule_name": "Remote File Download via PowerShell", "sha256": "a468cf285aeec523223067030229793d4769bc5659502779d939657e57a77976", "type": "eql", "version": 110 }, "342f834b-21a6-41bf-878c-87d116eba3ee": { - "min_stack_version": "8.8", "rule_name": "Modification of Dynamic Linker Preload Shared Object Inside A Container", "sha256": "80a1285a2fc10cd2a83830beb16066febaf04201e827216516c4e4dc9b47ade6", "type": "eql", "version": 1 }, "345889c4-23a8-4bc0-b7ca-756bd17ce83b": { - "min_stack_version": "8.3", "rule_name": "GitHub Repository Deleted", "sha256": "e9e82f5d7ee55a265684b97bea6518e4cefa09ffbe5466a156316ba98ba8c744", "type": "eql", "version": 2 }, "34fde489-94b0-4500-a76f-b8a157cf9269": { - "min_stack_version": "8.3", "rule_name": "Accepted Default Telnet Port Connection", "sha256": "5a1c81a6f5119308ed2c419c07cd7d61610c4bf863351341f4f1c5c3d54644b1", "type": "query", "version": 104 }, "35330ba2-c859-4c98-8b7f-c19159ea0e58": { - "min_stack_version": "8.3", "rule_name": "Execution via Electron Child Process Node.js Module", "sha256": "e62ff0708c98fc9c3f113e773084f58a137eabb8da806c25c3871f0131fd7934", "type": "query", "version": 106 }, "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { - "min_stack_version": "8.3", "rule_name": "Port Forwarding Rule Addition", "sha256": "6898cb41a0f614b74222c1863817dc993d7470c5953727d9199a63308685d9cd", "type": "eql", "version": 110 }, "35a3b253-eea8-46f0-abd3-68bdd47e6e3d": { - "min_stack_version": "8.9", "rule_name": "Spike in Bytes Sent to an External Device", "sha256": "67a35f156241abf955e83450c9f9e4de70743aa2b982ae6e96fe95b1734847ac", "type": "machine_learning", "version": 3 }, "35df0dd8-092d-4a83-88c1-5151a804f31b": { - "min_stack_version": "8.3", "rule_name": "Unusual Parent-Child Relationship", "sha256": "1984aac08fb341387ffbc60fed85f41724c02408e79a0837eebfaff0eea168c3", "type": "eql", "version": 111 }, "35f86980-1fb1-4dff-b311-3be941549c8d": { - "min_stack_version": "8.3", "rule_name": "Network Traffic to Rare Destination Country", "sha256": "599670166b519587f8e2c8712aaec4839a9edfbd71f94eef4d3ca35a4bff8e82", "type": "machine_learning", @@ -2217,51 +1665,36 @@ "version": 100 }, "3688577a-d196-11ec-90b0-f661ea17fbce": { - "min_stack_version": "8.3", "rule_name": "Process Started from Process ID (PID) File", "sha256": "299fc2aae27ca710fe1c8e92af61046ea6040c245173fc7572644fa2aa4a9b1e", "type": "eql", "version": 109 }, "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { - "min_stack_version": "8.3", "rule_name": "Suspicious ImagePath Service Creation", "sha256": "dd157344f60c0f8cdf534de6a25fd8ec70ae6b174250971f224102c56b1ed3d2", "type": "eql", "version": 107 }, "36c48a0c-c63a-4cbc-aee1-8cac87db31a9": { - "min_stack_version": "8.9", "rule_name": "High Mean of Process Arguments in an RDP Session", "sha256": "9fa7888003d814e16febe8363b55e5c5d98fbebc187b1134b988a70bfa227457", "type": "machine_learning", "version": 3 }, "3728c08d-9b70-456b-b6b8-007c7d246128": { - "min_stack_version": "8.3", "rule_name": "Potential Suspicious File Edit", "sha256": "ad661308418ae98d99acfbe93160fc7b79bd560af7e212b8b2d582ca93665254", "type": "eql", "version": 4 }, "378f9024-8a0c-46a5-aa08-ce147ac73a4e": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS RDS Security Group Creation", - "sha256": "5b75c7ff3b23af486b2a98aa509dba99b6e5935a1884bcf20ce26298c87a413a", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS RDS Security Group Creation", "sha256": "a980e64d0ef17442e319eed703e3dc756434170c637087afded818fc1942c2e0", "type": "query", "version": 206 }, "37994bca-0611-4500-ab67-5588afe73b77": { - "min_stack_version": "8.3", "rule_name": "Azure Active Directory High Risk Sign-in", "sha256": "81cfc0cf1d22eac182fb2dbed83295eb880bff4c46b583ac7a02667c2bd7140a", "type": "query", @@ -2274,16 +1707,6 @@ "version": 100 }, "37b211e8-4e2f-440f-86d8-06cc8f158cfa": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "AWS Execution via System Manager", - "sha256": "2cbc10f8cfc4b487c2e60d03f65c07f3edfffcc2aff4715f233e6dc5d5164c60", - "type": "query", - "version": 108 - } - }, "rule_name": "AWS Execution via System Manager", "sha256": "5262f35d3a77b7ea661f2c08269986f36b47c9e01836ec71acf45e6f3653b88e", "type": "query", @@ -2292,7 +1715,7 @@ "37f638ea-909d-4f94-9248-edd21e4a9906": { "min_stack_version": "8.11", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 205, "rule_name": "Finder Sync Plugin Registered and Enabled", "sha256": "b0d1702942012aaf400be87038c53cf2ccc337510f3956545d8344b96c98a598", @@ -2308,7 +1731,7 @@ "3805c3dc-f82c-4f8d-891e-63c24d3102b0": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 206, "rule_name": "Attempted Bypass of Okta MFA", "sha256": "f4d46f02451d1b387f81c66eaf2bac499ae2b55dab8b5ff072060d572c17bae2", @@ -2322,81 +1745,54 @@ "version": 207 }, "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { - "min_stack_version": "8.3", "rule_name": "Network Connection via Certutil", "sha256": "6f47f5ed6240c55d50a34719a69f8cc06e2e1a96b3d7dbf8caed23d34f6fb612", "type": "eql", "version": 111 }, "38948d29-3d5d-42e3-8aec-be832aaaf8eb": { - "min_stack_version": "8.7", - "previous": { - "8.3": { - "max_allowable_version": 206, - "rule_name": "Prompt for Credentials with OSASCRIPT", - "sha256": "5b889bbfa953251d11d08f3f3b13847eb4b5f05777c8cc9d80806943bc1e3d08", - "type": "eql", - "version": 107 - } - }, "rule_name": "Prompt for Credentials with OSASCRIPT", "sha256": "3032a13d5103580a7a71c386fb3b0871d65a29e3b195d7c15ef594679579b277", "type": "eql", "version": 207 }, "38e5acdd-5f20-4d99-8fe4-f0a1a592077f": { - "min_stack_version": "8.3", "rule_name": "User Added as Owner for Azure Service Principal", "sha256": "0366d38e25390f27d5a88679fdeb1186fa00482024bab6e37b84f6d6ee4bdf2f", "type": "query", "version": 102 }, "38f384e0-aef8-11ed-9a38-f661ea17fbcc": { - "min_stack_version": "8.4", "rule_name": "External User Added to Google Workspace Group", "sha256": "5b576006ba63579d8d410c1b6a505b7129e0e534887b142f08e9778bab82d1a1", "type": "eql", "version": 2 }, "39144f38-5284-4f8e-a2ae-e3fd628d90b0": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS EC2 Network Access Control List Creation", - "sha256": "dea5a5643f79a683de4d055fc1e7c3f2444af041cad46e962eea1d3f5f8310d4", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS EC2 Network Access Control List Creation", "sha256": "e91381a670fa911026a21863f0f82af1de6b7d106b32bea4d783d4e2c8ceddee", "type": "query", "version": 206 }, "39157d52-4035-44a8-9d1a-6f8c5f580a07": { - "min_stack_version": "8.3", "rule_name": "Downloaded Shortcut Files", "sha256": "a78fe7706bba28d2e8916c6285d2aa614ab127534029912e8e9ad9ab133792dc", "type": "eql", "version": 2 }, "397945f3-d39a-4e6f-8bcb-9656c2031438": { - "min_stack_version": "8.3", "rule_name": "Persistence via Microsoft Outlook VBA", "sha256": "552ee91e75f7ccd44773852337f72d88a83bf6868aa5afbefe6ff4634db9fff3", "type": "eql", "version": 107 }, "3a59fc81-99d3-47ea-8cd6-d48d561fca20": { - "min_stack_version": "8.3", "rule_name": "Potential DNS Tunneling via NsLookup", "sha256": "4a18eb2fad582229c98d6a037fd50e8c8c1ce71cc2a6442d5f73f60435460035", "type": "eql", "version": 110 }, "3a6001a0-0939-4bbe-86f4-47d8faeb7b97": { - "min_stack_version": "8.3", "rule_name": "Suspicious Module Loaded by LSASS", "sha256": "b774f07509146c401d27897d918bded4c1725c4bf5e8b457e9a749116e912d1f", "type": "eql", @@ -2409,56 +1805,48 @@ "version": 100 }, "3ad49c61-7adc-42c1-b788-732eda2f5abf": { - "min_stack_version": "8.3", "rule_name": "VNC (Virtual Network Computing) to the Internet", "sha256": "75c83bc25b63f6d009bfaa4c5ad8ac726f34d8463a71addc994107e75c6f41e3", "type": "query", "version": 104 }, "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": { - "min_stack_version": "8.3", "rule_name": "Azure Full Network Packet Capture Detected", "sha256": "5ff3c05e76cc5d8d9d4be4f532e57b7f4b864c7b441e409db8c6424396b0030d", "type": "query", "version": 103 }, "3af4cb9b-973f-4c54-be2b-7623c0e21b2b": { - "min_stack_version": "8.8", "rule_name": "First Occurrence of IP Address For GitHub User", "sha256": "4d1bb8c98fc64a88e74bb4e5379ca7a368d1223b9cfd87c6711e8cdb55b2e93a", "type": "new_terms", "version": 1 }, "3b382770-efbb-44f4-beed-f5e0a051b895": { - "min_stack_version": "8.3", "rule_name": "Malware - Prevented - Elastic Endgame", "sha256": "6f120439816dc0fbb5966bc6163654d86dd3d1325de8e31e9b58acc704fca442", "type": "query", "version": 103 }, "3b47900d-e793-49e8-968f-c90dc3526aa1": { - "min_stack_version": "8.3", "rule_name": "Unusual Parent Process for cmd.exe", "sha256": "b684f4c5fbb972a39c7c5707d9dd7519013e2a23854d99612acc986458b8327f", "type": "eql", "version": 110 }, "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { - "min_stack_version": "8.3", "rule_name": "NTDS or SAM Database File Copied", "sha256": "9b7f98ccce2835bb0f4a66f0d771402a60aa80c0516f3c461f25258464d92dde", "type": "eql", "version": 112 }, "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": { - "min_stack_version": "8.3", "rule_name": "Unusual Linux Network Port Activity", "sha256": "a2800c6cc225debfe9958195da944e5b1ead6405ccad4dac405b7e7d337dade9", "type": "machine_learning", "version": 103 }, "3d00feab-e203-4acc-a463-c3e15b7e9a73": { - "min_stack_version": "8.3", "rule_name": "ScreenConnect Server Spawning Suspicious Processes", "sha256": "b8cf058fc04d31b542a9af0b67afca6876cd61ca3cbae997f11f1750d0e5c24c", "type": "eql", @@ -2467,7 +1855,7 @@ "3d3aa8f9-12af-441f-9344-9f31053e316d": { "min_stack_version": "8.12", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 104, "rule_name": "PowerShell Script with Log Clear Capabilities", "sha256": "89e12f38568452e05edf82a51f7ea6467b8b1350950e26a393767e49f1c702d0", @@ -2481,197 +1869,138 @@ "version": 105 }, "3e002465-876f-4f04-b016-84ef48ce7e5d": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "AWS CloudTrail Log Updated", - "sha256": "c544d2bed3c1f0c3eb62422883fdd5c1a029d8a1e4ade88af0b3aaaa0955dc99", - "type": "query", - "version": 108 - } - }, "rule_name": "AWS CloudTrail Log Updated", "sha256": "3f2192854f2b83093646d34a7cf62799413c920c797225c07eb86ab7f8021262", "type": "query", "version": 209 }, "3e0561b5-3fac-4461-84cc-19163b9aaa61": { - "min_stack_version": "8.9", "rule_name": "Spike in Number of Connections Made from a Source IP", "sha256": "e0f94b4cfe4ca344a1904651585a27509c31993709b1767adc5d92d1e020eb62", "type": "machine_learning", "version": 3 }, "3e0eeb75-16e8-4f2f-9826-62461ca128b7": { - "min_stack_version": "8.3", "rule_name": "Suspicious Execution via Windows Subsystem for Linux", "sha256": "2a6df6ecfdcec0cacd6cd3fbe669354f173ae5e52c45c067290621e97758d904", "type": "eql", "version": 6 }, "3e12a439-d002-4944-bc42-171c0dcb9b96": { - "min_stack_version": "8.3", "rule_name": "Kernel Driver Load", "sha256": "0d805e30368d7d1a1c774e0e29386cb807ff617bc0d294c11a6ecf97e9cf3bdc", "type": "eql", "version": 4 }, "3e3d15c6-1509-479a-b125-21718372157e": { - "min_stack_version": "8.3", "rule_name": "Suspicious Emond Child Process", "sha256": "7d78dc70f6217f921486f43f26839cb0fe33c9dcd5bfc983e0a3117ce260f1db", "type": "eql", "version": 106 }, "3e441bdb-596c-44fd-8628-2cfdf4516ada": { - "min_stack_version": "8.3", "rule_name": "Potential Remote File Execution via MSIEXEC", "sha256": "f427e7262f3caaa30fad3f63a14f32e77e72e8e8606381f64c7b2b3718fe7684", "type": "eql", "version": 3 }, "3ecbdc9e-e4f2-43fa-8cca-63802125e582": { - "min_stack_version": "8.3", "rule_name": "Privilege Escalation via Named Pipe Impersonation", "sha256": "f7be2ac3e9aac82f91122e2416bba98480072d50a299c9fb593ea60bf876b8d8", "type": "eql", "version": 110 }, "3ed032b2-45d8-4406-bc79-7ad1eabb2c72": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 206, - "rule_name": "Suspicious Process Creation CallTrace", - "sha256": "ef3b36cfe9937ac9e94d85f43e7c8d1eb725f6edec2353a6c3df2745f5d06fbb", - "type": "eql", - "version": 107 - } - }, "rule_name": "Suspicious Process Creation CallTrace", "sha256": "198d879bb094b81e6bb30e836abf7c7c2a2d4b08cf6f8de140a531126de8f927", "type": "eql", "version": 208 }, "3efee4f0-182a-40a8-a835-102c68a4175d": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 206, - "rule_name": "Potential Password Spraying of Microsoft 365 User Accounts", - "sha256": "6f5fb726f163898f2ca5b0b8de75a346cda8451de239adb986ada4f3128b4c67", - "type": "threshold", - "version": 107 - } - }, "rule_name": "Potential Password Spraying of Microsoft 365 User Accounts", "sha256": "3ee6a597bfe462c8b9132d7ca83768025a28634b18c009db462cb0c3bd7bfe39", "type": "threshold", "version": 207 }, "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54": { - "min_stack_version": "8.3", "rule_name": "CyberArk Privileged Access Security Error", "sha256": "c386d6369ab49aa1ccb5c14a29f84d5f2856b09ca44e9d53418a1477ace1a37a", "type": "query", "version": 102 }, "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd": { - "min_stack_version": "8.3", "rule_name": "Potential Protocol Tunneling via Chisel Client", "sha256": "506ac5257e3fbd5947ce89f51b4a1154eea0e4245f3b8d26f1579ed36d7de792", "type": "eql", "version": 5 }, "3f3f9fe2-d095-11ec-95dc-f661ea17fbce": { - "min_stack_version": "8.3", "rule_name": "Binary Executed from Shared Memory Directory", "sha256": "6fe016ba390e8dc87666f4ef0c548568711ad0404b3acab74fedccdc68e0880d", "type": "eql", "version": 110 }, "3f4d7734-2151-4481-b394-09d7c6c91f75": { - "min_stack_version": "8.3", "rule_name": "Process Discovery via Built-In Applications", "sha256": "a1d18add228db670e888de746acabb7856747a256b80bf999d0e0b8829193b07", "type": "eql", "version": 3 }, "3f4e2dba-828a-452a-af35-fe29c5e78969": { - "min_stack_version": "8.9", "rule_name": "Unusual Time or Day for an RDP Session", "sha256": "2d41f9c292e0cfb545738b9fefb92890c35a74f559c525d8882ff69abb589281", "type": "machine_learning", "version": 3 }, "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": { - "min_stack_version": "8.9", "rule_name": "Unusual Process Spawned by a User", "sha256": "605a890392cba9a22d8ca7c2285cf0fe0e562dfeccb201126b50540f02b6567b", "type": "machine_learning", "version": 4 }, "4030c951-448a-4017-a2da-ed60f6d14f4f": { - "min_stack_version": "8.3", "rule_name": "GitHub User Blocked From Organization", "sha256": "6f42e7b01599241829e9077f402bbf6ff1ee20d99e201fb4416aeb827edbcce6", "type": "eql", "version": 1 }, "403ef0d3-8259-40c9-a5b6-d48354712e49": { - "min_stack_version": "8.3", "rule_name": "Unusual Persistence via Services Registry", "sha256": "ff437c6e2c47619b352ee9e1a2afc7a9efc07196a586924803b1daaf14e3c9d6", "type": "eql", "version": 108 }, "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 102, - "rule_name": "Suspicious Modprobe File Event", - "sha256": "57d346776e2d53dc371be91bf8eee48d1a5551497057024f0cba657e1b22f6d0", - "type": "eql", - "version": 4 - } - }, "rule_name": "Suspicious Modprobe File Event", "sha256": "2a6caaea58f921647c925b776c5a3263205f0e14402adfb96fe9784742822f0c", "type": "new_terms", "version": 107 }, "41284ba3-ed1a-4598-bfba-a97f75d9aba2": { - "min_stack_version": "8.3", "rule_name": "Unix Socket Connection", "sha256": "3205e8361a1f086b49b3af871c969ed11481015e0dff4ac8a9a0d72db9843e22", "type": "eql", "version": 2 }, "416697ae-e468-4093-a93d-59661fa619ec": { - "min_stack_version": "8.3", "rule_name": "Control Panel Process with Unusual Arguments", "sha256": "aa2506ef37c17be2ee06aaebfabb669748b8247f50e0664debb0e789db74ca71", "type": "eql", "version": 111 }, "41761cd3-380f-4d4d-89f3-46d6853ee35d": { - "min_stack_version": "8.8", "rule_name": "First Occurrence of User-Agent For a GitHub User", "sha256": "a9f5a86fb7a36ee7d65d9e567514f2f7240710d978434b414df63e8a2255365d", "type": "new_terms", "version": 1 }, "41824afb-d68c-4d0e-bfee-474dac1fa56e": { - "min_stack_version": "8.3", "rule_name": "EggShell Backdoor Execution", "sha256": "a000d7946f2d9c6608fef001a71aa8b626b93b668a56cb558aae7b94e49089cb", "type": "query", "version": 103 }, "41b638a1-8ab6-4f8e-86d9-466317ef2db5": { - "min_stack_version": "8.3", "rule_name": "Potential Hidden Local User Account Creation", "sha256": "41e2911f06e94357105e93c803ee44dbd7f4ec32bd8d4913fd5154123b4b677a", "type": "query", @@ -2685,7 +2014,6 @@ "version": 1 }, "420e5bb4-93bf-40a3-8f4a-4cc1af90eca1": { - "min_stack_version": "8.8", "rule_name": "Interactive Exec Command Launched Against A Running Container", "sha256": "3e2d9d02297e6659a2e22c12019c924caed14914e8e223416d9275a1c232f063", "type": "eql", @@ -2694,7 +2022,7 @@ "42bf698b-4738-445b-8231-c834ddefd8a0": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 206, "rule_name": "Okta Brute Force or Password Spraying Attack", "sha256": "882dcaea90df31c2153dbabfb17dc21bcc8f8866c862b5a02c20026eac301621", @@ -2708,126 +2036,108 @@ "version": 208 }, "42eeee3d-947f-46d3-a14d-7036b962c266": { - "min_stack_version": "8.3", "rule_name": "Process Creation via Secondary Logon", "sha256": "02389fa2b314a4c1b09a7516f22580f4b91f255f5f87e61cad90039acb6a26b0", "type": "eql", "version": 9 }, "4330272b-9724-4bc6-a3ca-f1532b81e5c2": { - "min_stack_version": "8.3", "rule_name": "Unusual Login Activity", "sha256": "178b730df2f0523fca5d50f1c7bfb91a3b574b4d6bfa9a475d11d6208ef93b2c", "type": "machine_learning", "version": 103 }, "43303fd4-4839-4e48-b2b2-803ab060758d": { - "min_stack_version": "8.3", "rule_name": "Web Application Suspicious Activity: No User Agent", "sha256": "dba7037fea9889f8f9bb14d8bc56ff2eb114acab0af17a595d777e53783c3919", "type": "query", "version": 101 }, "43d6ec12-2b1c-47b5-8f35-e9de65551d3b": { - "min_stack_version": "8.3", "rule_name": "Linux User Added to Privileged Group", "sha256": "3d53c3cf46875865535f808e7c6c2ef22a6d516d653fd23e37c8faaf4d477438", "type": "eql", "version": 6 }, "440e2db4-bc7f-4c96-a068-65b78da59bde": { - "min_stack_version": "8.3", "rule_name": "Startup Persistence by a Suspicious Process", "sha256": "83d79f7e35b069d84ce239901a6f3aaabd224e0494355f02c61e2650de4099c6", "type": "eql", "version": 110 }, "445a342e-03fb-42d0-8656-0367eb2dead5": { - "min_stack_version": "8.3", "rule_name": "Unusual Windows Path Activity", "sha256": "0c0dc0204bae57db331547a95b8be8a1a7a915fd32f0e9ed199b109a8418db7e", "type": "machine_learning", "version": 104 }, "4494c14f-5ff8-4ed2-8e99-bf816a1642fc": { - "min_stack_version": "8.3", "rule_name": "Potential Masquerading as VLC DLL", "sha256": "d9597f07d834346b49d0ec5d44b690415e313ac8d159ee72e5fa8335fd7e85fb", "type": "eql", "version": 3 }, "44fc462c-1159-4fa8-b1b7-9b6296ab4f96": { - "min_stack_version": "8.3", "rule_name": "Multiple Vault Web Credentials Read", "sha256": "24ee5dd513d2411aadcf6700b279d44bb0d803d6514f3d920e7071076e34d242", "type": "eql", "version": 10 }, "453183fa-f903-11ee-8e88-f661ea17fbce": { - "min_stack_version": "8.9", "rule_name": "Route53 Resolver Query Log Configuration Deleted", "sha256": "98d3f47b38a2e490eb32fe435fb1a3cdc74636dabc5fe7a97b731551b87ec8cd", "type": "query", "version": 1 }, "453f659e-0429-40b1-bfdb-b6957286e04b": { - "min_stack_version": "8.3", "rule_name": "Permission Theft - Prevented - Elastic Endgame", "sha256": "e125e05070fd9e4879366bc19b3262c739e7820cfa207a0de2ddd94c30c7459a", "type": "query", "version": 103 }, "45ac4800-840f-414c-b221-53dd36a5aaf7": { - "min_stack_version": "8.3", "rule_name": "Windows Event Logs Cleared", "sha256": "fc09cce15ed08c912228c02d8c8a913febbcfde1263a2410a281a5b780cbc1bd", "type": "query", "version": 108 }, "45d273fb-1dca-457d-9855-bcb302180c21": { - "min_stack_version": "8.3", "rule_name": "Encrypting Files with WinRar or 7z", "sha256": "b3b214a87a2d7efdda2a6e79454b84fdbae8dbfdb3834d1b51bdc0524f4e0b41", "type": "eql", "version": 111 }, "4630d948-40d4-4cef-ac69-4002e29bc3db": { - "min_stack_version": "8.3", "rule_name": "Adding Hidden File Attribute via Attrib", "sha256": "f28a8d21784231d74baa3c2c1bc50c52047b904b90baf5f454eff45f52d1ca07", "type": "eql", "version": 111 }, "4682fd2c-cfae-47ed-a543-9bed37657aa6": { - "min_stack_version": "8.3", "rule_name": "Potential Local NTLM Relay via HTTP", "sha256": "532a6ef376ad303e213a6c18952dbfd541118f748ed30402beff2be0870e927f", "type": "eql", "version": 109 }, "46f804f5-b289-43d6-a881-9387cf594f75": { - "min_stack_version": "8.3", "rule_name": "Unusual Process For a Linux Host", "sha256": "5fbea0760b51ff40b45435e9978a27fd21ee1b2a9792c2892ca01cc45f6dc782", "type": "machine_learning", "version": 104 }, "474fd20e-14cc-49c5-8160-d9ab4ba16c8b": { - "min_stack_version": "8.6", "rule_name": "Potential Persistence Through init.d Detected", "sha256": "cd769b23546bc7c66a492fb80d7c336f31823e527982f3185a9ad7b4c3686ee1", "type": "new_terms", "version": 9 }, "475b42f0-61fb-4ef0-8a85-597458bfb0a1": { - "min_stack_version": "8.8", "rule_name": "Sensitive Files Compression Inside A Container", "sha256": "4e4eac63997eab8b7b05da7301b3f3d904afbc53f9ac2c2789df7ff023df7939", "type": "eql", "version": 2 }, "47e22836-4a16-4b35-beee-98f6c4ee9bf2": { - "min_stack_version": "8.3", "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", "sha256": "78feac62454588684cd56fc409cf666bba314b8537b67f5c8c1ee01afada874f", "type": "eql", @@ -2840,244 +2150,186 @@ "version": 100 }, "47f76567-d58a-4fed-b32b-21f571e28910": { - "min_stack_version": "8.3", "rule_name": "Apple Script Execution followed by Network Connection", "sha256": "1e70613b9ab01d3e1eabe9dc9ec52bb46b06c551a2bd5f19bc437c35219afd3a", "type": "eql", "version": 106 }, "483c4daf-b0c6-49e0-adf3-0bfa93231d6b": { - "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", "sha256": "daa833de111fdd82adf05f6795ee87754f8dd5a0631fdc3857995779eeb0743e", "type": "eql", "version": 109 }, "48819484-9826-4083-9eba-1da74cd0eaf2": { - "min_stack_version": "8.8", - "previous": { - "8.6": { - "max_allowable_version": 104, - "rule_name": "Suspicious Microsoft 365 Mail Access by ClientAppId", - "sha256": "fadad966a91f932ed17c91f28dccd142d23d55cd4ae7ea7c57bdd1571b0c95ea", - "type": "new_terms", - "version": 5 - } - }, "rule_name": "Suspicious Microsoft 365 Mail Access by ClientAppId", "sha256": "25daf6eb0539fcc0694b22088a27dd0f67fcba06669cc69450e34b994cc642ea", "type": "new_terms", "version": 105 }, "48b3d2e3-f4e8-41e6-95e6-9b2091228db3": { - "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell", "sha256": "d2d12619cc88da5d442a1f223e4ccf1cdb06d037c5ab3440a7814cb9d6b11736", "type": "eql", "version": 8 }, "48b6edfc-079d-4907-b43c-baffa243270d": { - "min_stack_version": "8.3", "rule_name": "Multiple Logon Failure from the same Source Address", "sha256": "9ab25d365ce5c55e8b3447548326215241c5e3e269772cfda3d53460a796bd70", "type": "eql", "version": 9 }, "48d7f54d-c29e-4430-93a9-9db6b5892270": { - "min_stack_version": "8.3", "rule_name": "Unexpected Child Process of macOS Screensaver Engine", "sha256": "14e09fb223671c9a69d290403ce41fb14decb3fa7b322e5cdfee720edf523312", "type": "eql", "version": 107 }, "48ec9452-e1fd-4513-a376-10a1a26d2c83": { - "min_stack_version": "8.3", "rule_name": "Potential Persistence via Periodic Tasks", "sha256": "195c6ae2218bd1ce6a72411bb052c6c8be490604c24657b057699c3f7302aac6", "type": "query", "version": 106 }, "48f657ee-de4f-477c-aa99-ed88ee7af97a": { - "min_stack_version": "8.3", "rule_name": "Remote XSL Script Execution via COM", "sha256": "8dcdd68d3f519784397cb030a40cfccbf754fcc330df54ab782ff54a1bed69fc", "type": "eql", "version": 3 }, "493834ca-f861-414c-8602-150d5505b777": { - "min_stack_version": "8.3", "rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent", "sha256": "6928326257c9c13a06c0f1b72217966aa1141319570100427a2bc9edc41964c0", "type": "threshold", "version": 101 }, "494ebba4-ecb7-4be4-8c6f-654c686549ad": { - "min_stack_version": "8.3", "rule_name": "Potential Linux Backdoor User Account Creation", "sha256": "13db3c2d1fc38751e03a07125ee9720d077032ecc780b0474951dcffa438ece8", "type": "eql", "version": 6 }, "495e5f2e-2480-11ed-bea8-f661ea17fbce": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 103, - "rule_name": "Application Removed from Blocklist in Google Workspace", - "sha256": "e61b1bbcf81ae0a39c5740592307709fdd354ac9c7ca1cff724f403f2683e67e", - "type": "query", - "version": 5 - } - }, "rule_name": "Application Removed from Blocklist in Google Workspace", "sha256": "458d45e2d4ec3ad54e104516c1bf827f241392740f457d0b358ed439cea466f4", "type": "query", "version": 106 }, "4973e46b-a663-41b8-a875-ced16dda2bb0": { - "min_stack_version": "8.6", "rule_name": "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable", "sha256": "9fa82ebadcb5c5f29578c49072ea5d921ce9a8af05291cd755e5c6aefcc422d7", "type": "eql", "version": 3 }, "4982ac3e-d0ee-4818-b95d-d9522d689259": { - "min_stack_version": "8.3", "rule_name": "Process Discovery Using Built-in Tools", "sha256": "3760e37b4f14a48147ffb42a0e6ac8615c7a41564dcffc483719244adf4aac52", "type": "eql", "version": 4 }, "4a4e23cf-78a2-449c-bac3-701924c269d3": { - "min_stack_version": "8.3", "rule_name": "Possible FIN7 DGA Command and Control Behavior", "sha256": "42113dd49a2b2df45e90301ac64feac172a5fe2d5ae21baddb22e62943b28082", "type": "query", "version": 105 }, "4a99ac6f-9a54-4ba5-a64f-6eb65695841b": { - "min_stack_version": "8.3", "rule_name": "Potential Unauthorized Access via Wildcard Injection Detected", "sha256": "ead602528c1e965f9015450bec41285bbba8c0d37139735cfbf3eb7e954067ea", "type": "eql", "version": 5 }, "4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": { - "min_stack_version": "8.3", "rule_name": "Potential Cross Site Scripting (XSS)", "sha256": "0ddba68a65a560e542542a531d9b0222a706b62e38442f5afb342b989f8d70fa", "type": "eql", "version": 1 }, "4b1a807a-4e7b-414e-8cea-24bf580f6fc5": { - "min_stack_version": "8.3", "rule_name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process", "sha256": "a8340e173929cc26fccdb80d23355387d04d41b26c099412fc6542025089e982", "type": "eql", "version": 6 }, "4b438734-3793-4fda-bd42-ceeada0be8f9": { - "min_stack_version": "8.3", "rule_name": "Disable Windows Firewall Rules via Netsh", "sha256": "b071ea55c3cd817e5aec99970cd493053e2b94783f1aafb56e89004674a69b22", "type": "eql", "version": 110 }, "4b4e9c99-27ea-4621-95c8-82341bc6e512": { - "min_stack_version": "8.8", "rule_name": "Container Workload Protection", "sha256": "232d94bfc84f58f133c5ffa086853fc01f635acea7ff1d6298f9d781a383ed24", "type": "query", "version": 4 }, "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": { - "min_stack_version": "8.3", "rule_name": "ProxyChains Activity", "sha256": "2997e880be8be8e48bd8066e4736d34483677decfa5262604e7c884d9ff407d3", "type": "eql", "version": 4 }, "4b95ecea-7225-4690-9938-2a2c0bad9c99": { - "min_stack_version": "8.9", "rule_name": "Unusual Process Writing Data to an External Device", "sha256": "3659127431f2145c49922aa110bbe7be12f4776825ee1a24f2409945b3f414f0", "type": "machine_learning", "version": 3 }, "4bd1c1af-79d4-4d37-9efa-6e0240640242": { - "min_stack_version": "8.3", "rule_name": "Unusual Process Execution Path - Alternate Data Stream", "sha256": "8cd12a854dbd43e2cd0db12f9515413ced21fa11fbc405bf87983c4e4635ae45", "type": "eql", "version": 109 }, "4c59cff1-b78a-41b8-a9f1-4231984d1fb6": { - "min_stack_version": "8.3", "rule_name": "PowerShell Share Enumeration Script", "sha256": "95583fef64f6c5454d616320d43ceda2a467cb8e217231374faa423e8363fdf1", "type": "query", "version": 9 }, "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": { - "min_stack_version": "8.3", "rule_name": "Kernel Load or Unload via Kexec Detected", "sha256": "8cdb4afadd73272dc07ee9b31b8a8f1e2ab6d9ba07e75a228d827eb5cedf236e", "type": "eql", "version": 6 }, "4d50a94f-2844-43fa-8395-6afbd5e1c5ef": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS Management Console Brute Force of Root User Identity", - "sha256": "09c72f469d0aca040785500480c6c4086070ace209803e2f0b4f1d79de394a3f", - "type": "threshold", - "version": 106 - } - }, "rule_name": "AWS Management Console Brute Force of Root User Identity", "sha256": "64dc42dae58d6c7edafe597e4c2cf33845002b02ae71649f5f19a5efe11089c1", "type": "threshold", "version": 207 }, "4da13d6e-904f-4636-81d8-6ab14b4e6ae9": { - "min_stack_version": "8.3", "rule_name": "Attempt to Disable Gatekeeper", "sha256": "af8d10ad0bf3fd9de00ec04cf9ec8786a9deae55c4c5086fd8101b18e5ab22ba", "type": "query", "version": 106 }, "4de76544-f0e5-486a-8f84-eae0b6063cdc": { - "min_stack_version": "8.3", "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", "sha256": "8bf850df70b51fc76b714e18cd7a173376cb3f8b205d59d19bf4656ff704fada", "type": "eql", "version": 112 }, "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": { - "min_stack_version": "8.3", "rule_name": "Multiple Logon Failure Followed by Logon Success", "sha256": "8ed9b11012b3ceb54e839102d8ba6f90c8bc6f8e9c7d2069f8c01d504d8b13ce", "type": "eql", "version": 10 }, "4ec47004-b34a-42e6-8003-376a123ea447": { - "min_stack_version": "8.3", "rule_name": "Suspicious Process Spawned from MOTD Detected", "sha256": "5c74f520f2356f579a86fc666a87af41bd62c8e52f1edc1521b9f7bd58b3f461", "type": "eql", "version": 8 }, "4ed493fc-d637-4a36-80ff-ac84937e5461": { - "min_stack_version": "8.3", "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", "sha256": "46dc5171e6385fc71511dfe5c62bbfb3d211317614112565e2dbd8a177803a7b", "type": "eql", "version": 111 }, "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": { - "min_stack_version": "8.3", "rule_name": "Suspicious Script Object Execution", "sha256": "604ff31b37bb88ec61794d51e66317597ae32e1b24ffcd6bc110afddaf9259ed", "type": "eql", @@ -3086,7 +2338,7 @@ "4edd3e1a-3aa0-499b-8147-4d2ea43b1613": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 205, "rule_name": "Unauthorized Access to an Okta Application", "sha256": "8e3e57e9dbe9ec6a8cc4673f80020513ca5a4c120e4a9efb9f8acc7a646de4c8", @@ -3107,7 +2359,6 @@ "version": 1 }, "4fe9d835-40e1-452d-8230-17c147cafad8": { - "min_stack_version": "8.3", "rule_name": "Execution via TSClient Mountpoint", "sha256": "7e36c4f41ffd47e55fb0504fb3dee66108c384d0a06ec60f2c6de1e2b5d702ef", "type": "eql", @@ -3121,109 +2372,78 @@ "version": 2 }, "51176ed2-2d90-49f2-9f3d-17196428b169": { - "min_stack_version": "8.3", "rule_name": "Windows System Information Discovery", "sha256": "e7f81d69a9300bde47134faf67e74e663bf52d62682494acfafebc8afa114273", "type": "eql", "version": 4 }, "5124e65f-df97-4471-8dcb-8e3953b3ea97": { - "min_stack_version": "8.3", "rule_name": "Hidden Files and Directories via Hidden Flag", "sha256": "997601d0253b1c3fc65712c6e0e2784ffba03a5f7b3926a5cf5e183aea3006d7", "type": "eql", "version": 2 }, "513f0ffd-b317-4b9c-9494-92ce861f22c7": { - "min_stack_version": "8.3", "rule_name": "Registry Persistence via AppCert DLL", "sha256": "0c9dc337aa75f6fa5139ce19167e415b0d8ecd48066d478250e49d78274e2ba1", "type": "eql", "version": 108 }, "514121ce-c7b6-474a-8237-68ff71672379": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", - "sha256": "a5c1852e0f0b5d54d522bc9d34146368b3966050fdbb0b514ad8a5c883a865c3", - "type": "query", - "version": 106 - } - }, "rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", "sha256": "51cc46687ba4f2ec1ce8b6d3af9bcf1d8e6449e6300a2dfde2ec5442af150b87", "type": "query", "version": 206 }, "51859fa0-d86b-4214-bf48-ebb30ed91305": { - "min_stack_version": "8.3", "rule_name": "GCP Logging Sink Deletion", "sha256": "c9a8ece69b7f242aba612e1ba56c3839f13edb69babaff4ec9dd0f717dbcf827", "type": "query", "version": 104 }, "51a09737-80f7-4551-a3be-dac8ef5d181a": { - "min_stack_version": "8.3", "rule_name": "Tainted Out-Of-Tree Kernel Module Load", "sha256": "ade59253fc0de2627984007ba84a2d944a16000aa69c83193c63f1dda8b806fa", "type": "query", "version": 2 }, "51ce96fb-9e52-4dad-b0ba-99b54440fc9a": { - "min_stack_version": "8.3", "rule_name": "Incoming DCOM Lateral Movement with MMC", "sha256": "7592f24cbedd399be83dd10921cadbae21a7f07859288848bc34cce173c9a03a", "type": "eql", "version": 108 }, "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": { - "min_stack_version": "8.3", "rule_name": "Potential Successful Linux RDP Brute Force Attack Detected", "sha256": "3a3059d247c0e3ef2e352ab75eb703f91476c8c3f57f2b33c79c545cc0e34325", "type": "eql", "version": 7 }, "523116c0-d89d-4d7c-82c2-39e6845a78ef": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS GuardDuty Detector Deletion", - "sha256": "875d325d03aab871f3af655b2a4f09f60421b1863ada9a2e59e415560be70fa6", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS GuardDuty Detector Deletion", "sha256": "f4d0bc7c75781581ae0325bb506f235d080a25501776cac6a7268376499066ce", "type": "query", "version": 206 }, "52376a86-ee86-4967-97ae-1a05f55816f0": { - "min_stack_version": "8.3", "rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)", "sha256": "1bda048bcd9c1bf57b4b123d710a6c78eb505e8a06f8d13ced365be3a3abfa5d", "type": "eql", "version": 112 }, "5297b7f1-bccd-4611-93fa-ea342a01ff84": { - "min_stack_version": "8.3", "rule_name": "Execution via Microsoft DotNet ClickOnce Host", "sha256": "71ef45621a5ba89795ad23007d4a9f50038ad681e75b73c50d4f275e0cd848b7", "type": "eql", "version": 1 }, "52aaab7b-b51c-441a-89ce-4387b3aea886": { - "min_stack_version": "8.3", "rule_name": "Unusual Network Connection via RunDLL32", "sha256": "30b9af8ec0f1c7c96bfc668ec005cc11e6b68a9d649ea1270b7f576bc393b37b", "type": "eql", "version": 109 }, "52afbdc5-db15-485e-bc24-f5707f820c4b": { - "min_stack_version": "8.3", "rule_name": "Unusual Linux Network Activity", "sha256": "17357496d0db27a4d0ccddae1c436a5239eced079e597b6deaf8b586add984e7", "type": "machine_learning", @@ -3242,37 +2462,24 @@ "version": 100 }, "530178da-92ea-43ce-94c2-8877a826783d": { - "min_stack_version": "8.3", "rule_name": "Suspicious CronTab Creation or Modification", "sha256": "a7492fef4099c032e096729ad621e9e19ed59798e0df2a83ef45c381a4d821ab", "type": "eql", "version": 106 }, "53617418-17b4-4e9c-8a2c-8deb8086ca4b": { - "min_stack_version": "8.6", "rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", "sha256": "f88c3c6d45fbe0bb6e1869423ab9e7667f5019abcead82c85039f1775a2b37ca", "type": "new_terms", "version": 8 }, "536997f7-ae73-447d-a12d-bff1e8f5f0a0": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS EFS File System or Mount Deleted", - "sha256": "dea68832916d128880a091971ddca7401be50c5a91b85315b44276c17c34b3a2", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS EFS File System or Mount Deleted", "sha256": "f0730064c70db89a626831b93e76595c6003a60060e20198818f45aa1f710990", "type": "query", "version": 206 }, "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": { - "min_stack_version": "8.3", "rule_name": "Azure Diagnostic Settings Deletion", "sha256": "d8cf4f99c49156e9bc70819e7e213ddc8254034a37779b4650402dfe6597dce2", "type": "query", @@ -3286,21 +2493,18 @@ "version": 4 }, "53a26770-9cbd-40c5-8b57-61d01a325e14": { - "min_stack_version": "8.3", "rule_name": "Suspicious PDF Reader Child Process", "sha256": "e67568b9c981e928c8780997ad8a1ad3532c6816c7ba4e0eaf9b8b18c5f3923b", "type": "eql", "version": 110 }, "53dedd83-1be7-430f-8026-363256395c8b": { - "min_stack_version": "8.3", "rule_name": "Binary Content Copy via Cmd.exe", "sha256": "5932e2f55f6f1e70ca53785865b24d7c502633270fe5df05d898167c0c36ab43", "type": "eql", "version": 3 }, "54902e45-3467-49a4-8abc-529f2c8cfb80": { - "min_stack_version": "8.3", "rule_name": "Uncommon Registry Persistence Change", "sha256": "62ae21bef70ecd1965d7f2e666f067077780c120bcbef93083911dea04b33b17", "type": "eql", @@ -3309,7 +2513,7 @@ "54a81f68-5f2a-421e-8eed-f888278bb712": { "min_stack_version": "8.12", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 107, "rule_name": "Exchange Mailbox Export via PowerShell", "sha256": "4a05779cfb9f68a05f85f4f67e3e5019e7ed90df2ad6d7626728154095aba9c2", @@ -3323,35 +2527,30 @@ "version": 108 }, "54c3d186-0461-4dc3-9b33-2dc5c7473936": { - "min_stack_version": "8.3", "rule_name": "Network Logon Provider Registry Modification", "sha256": "c432bc081898b9f4cbbf9aca1bfde2c778015db0534e78dddccc213f25c9ed59", "type": "eql", "version": 109 }, "55c2bf58-2a39-4c58-a384-c8b1978153c2": { - "min_stack_version": "8.3", "rule_name": "Windows Service Installed via an Unusual Client", "sha256": "522f9edf21b4768c2f43e0e448fb38e2603d76177730b764dd66e50b145aa56c", "type": "query", "version": 108 }, "55d551c6-333b-4665-ab7e-5d14a59715ce": { - "min_stack_version": "8.3", "rule_name": "PsExec Network Connection", "sha256": "b8614692008af5d487ed9f78c60675e92dacc3a24fce20a66b3c3b9fd0567f66", "type": "eql", "version": 109 }, "55f07d1b-25bc-4a0f-aa0c-05323c1319d0": { - "min_stack_version": "8.3", "rule_name": "Windows Installer with Suspicious Properties", "sha256": "ef9f5b3f0202dcd4e752c19f9ee8c807b55c72c653b8e1fa0399b2a0408c8753", "type": "eql", "version": 1 }, "56004189-4e69-4a39-b4a9-195329d226e9": { - "min_stack_version": "8.9", "rule_name": "Unusual Process Spawned by a Host", "sha256": "60181e72437ae398200e9082d83f05217fb1a24754604f6147a583f83048b853", "type": "machine_learning", @@ -3365,7 +2564,6 @@ "version": 1 }, "56557cde-d923-4b88-adee-c61b3f3b5dc3": { - "min_stack_version": "8.3", "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", "sha256": "aac24b839c4f5e1399effca0ee9a8800cd8ceebd4467a9a2785fab8cf4ae6576", "type": "query", @@ -3374,7 +2572,7 @@ "565c2b44-7a21-4818-955f-8d4737967d2e": { "min_stack_version": "8.11", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 205, "rule_name": "Potential Admin Group Account Addition", "sha256": "f0900e40693096576a20cfd51e40984df7b6149ec534b6d6e492162d871527e4", @@ -3388,14 +2586,12 @@ "version": 206 }, "565d6ca5-75ba-4c82-9b13-add25353471c": { - "min_stack_version": "8.3", "rule_name": "Dumping of Keychain Content via Security Command", "sha256": "ccf09271bdf9cd7de53d339b60a06f2e48c9a81fb9907a6f3d26b086d3e524fb", "type": "eql", "version": 107 }, "5663b693-0dea-4f2e-8275-f1ae5ff2de8e": { - "min_stack_version": "8.3", "rule_name": "GCP Logging Bucket Deletion", "sha256": "080210ccfb075c63c43cbbdd386dcf8857830563eb3757d61841656cf2099d2a", "type": "query", @@ -3404,7 +2600,7 @@ "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": { "min_stack_version": "8.12", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 209, "rule_name": "PowerShell PSReflect Script", "sha256": "65cd952645b44e0f83790a6d8175f52c74830218d8ebf22044c520c4176a4179", @@ -3418,218 +2614,156 @@ "version": 210 }, "56fdfcf1-ca7c-4fd9-951d-e215ee26e404": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 101, - "rule_name": "Execution of an Unsigned Service", - "sha256": "d6a1937f8097432a0d45cff0e4c52746877e8dfc576edec64a5e6235c80ca1bc", - "type": "eql", - "version": 2 - } - }, "rule_name": "Execution of an Unsigned Service", "sha256": "950af04b073c7a2de490bf6fe99a6aea6add2dc983a53d0882b4b3c7263fe0d9", "type": "new_terms", "version": 105 }, "5700cb81-df44-46aa-a5d7-337798f53eb8": { - "min_stack_version": "8.3", "rule_name": "VNC (Virtual Network Computing) from the Internet", "sha256": "08484b01efb6cd6e700e6ac39d1766a24491ac8d9aee3de5719c03ee0e204a06", "type": "query", "version": 104 }, "571afc56-5ed9-465d-a2a9-045f099f6e7e": { - "min_stack_version": "8.3", "rule_name": "Credential Dumping - Detected - Elastic Endgame", "sha256": "8bab78d440c061852a74557b6d3192c69d78b18dd0cabb79ef54bf9ae6f27234", "type": "query", "version": 103 }, "573f6e7a-7acf-4bcd-ad42-c4969124d3c0": { - "min_stack_version": "8.3", "rule_name": "Azure Virtual Network Device Modified or Deleted", "sha256": "fe8f8cc7acb845230d488c2148d4c27351978ae3582a05be60a1d7373afa9762", "type": "query", "version": 102 }, "577ec21e-56fe-4065-91d8-45eb8224fe77": { - "min_stack_version": "8.3", "rule_name": "PowerShell MiniDump Script", "sha256": "e3e3e2fe5144a3499378aee5b2b69396812d7753cec0e05000a5910187f5684b", "type": "query", "version": 108 }, "57bccf1d-daf5-4e1a-9049-ff79b5254704": { - "min_stack_version": "8.3", "rule_name": "File Staged in Root Folder of Recycle Bin", "sha256": "8529bac526d51a184db69b13d9f15bf676bc2b0c6152f40ae73019f4dc20c408", "type": "eql", "version": 3 }, "581add16-df76-42bb-af8e-c979bfb39a59": { - "min_stack_version": "8.3", "rule_name": "Deleting Backup Catalogs with Wbadmin", "sha256": "abc7e66357468013a69f39627f5e9976245ba741d55515881174e59942bf5edc", "type": "eql", "version": 111 }, "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { - "min_stack_version": "8.3", "rule_name": "RDP Enabled via Registry", "sha256": "509028755d9bbaaabe41c984eebff548de67f107f346e42b1b4ee27cd12d5fdb", "type": "eql", "version": 111 }, "58ac2aa5-6718-427c-a845-5f3ac5af00ba": { - "min_stack_version": "8.3", "rule_name": "Zoom Meeting with no Passcode", "sha256": "b3970e307a90b3715cd0032cccccfdf1b0a62c7e414d20462f6f5107916e4bff", "type": "query", "version": 103 }, "58bc134c-e8d2-4291-a552-b4b3e537c60b": { - "min_stack_version": "8.3", "rule_name": "Potential Lateral Tool Transfer via SMB Share", "sha256": "09b2312a59b33f13a4be41c88d7b5a3177bc1c158c0fa3c8118d4f33d7ccfe08", "type": "eql", "version": 108 }, "58c6d58b-a0d3-412d-b3b8-0981a9400607": { - "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via InstallerFileTakeOver", "sha256": "9bae02d3c566f254d62cde13db4662546fcab189c9f3296fa8c3eea79178eb13", "type": "eql", "version": 111 }, "5919988c-29e1-4908-83aa-1f087a838f63": { - "min_stack_version": "8.3", "rule_name": "File or Directory Deletion Command", "sha256": "2aba7007a379369ba83e88547ca03adac0f28e90a937244de77c2270f5babb4a", "type": "eql", "version": 3 }, "5930658c-2107-4afc-91af-e0e55b7f7184": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "O365 Email Reported by User as Malware or Phish", - "sha256": "6f1117902fd841998a715673511a3831fe99e7a953113854fd094e8aaf57d935", - "type": "query", - "version": 106 - } - }, "rule_name": "O365 Email Reported by User as Malware or Phish", "sha256": "a384ae4e6ee0a0f14a297dd9980b3aae52fcba5a63e3fca63e28559480b62bef", "type": "query", "version": 206 }, "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "AWS CloudTrail Log Created", - "sha256": "0ebf115d87113f0fb8cfb856cf09dd40a7bc00703443d8f5dc149be5cf2d7a26", - "type": "query", - "version": 106 - } - }, "rule_name": "AWS CloudTrail Log Created", "sha256": "04381b6679e1f47a0de7e904dda384c87aaf3b510c9aca6f2045b8f2c4014fa7", "type": "query", "version": 207 }, "59756272-1998-4b8c-be14-e287035c4d10": { - "min_stack_version": "8.3", "rule_name": "Unusual Linux User Discovery Activity", "sha256": "f22f060fba5f9de2376d38ce5ced5885370cdee60ce06026422199c3d3636225", "type": "machine_learning", "version": 104 }, "5a14d01d-7ac8-4545-914c-b687c2cf66b3": { - "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", "sha256": "de3f257cc742ca2b940857157f38cb15c99e74a1a22250b9dff96d6e8a1685c4", "type": "eql", "version": 109 }, "5a3d5447-31c9-409a-aed1-72f9921594fd": { - "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Java", "sha256": "7679d1b0d0e253dc2747cdf1dff275208029db01cdbf4fd7e77f9070d56861a1", "type": "eql", "version": 8 }, "5ae02ebc-a5de-4eac-afe6-c88de696477d": { - "min_stack_version": "8.3", "rule_name": "Potential Chroot Container Escape via Mount", "sha256": "b49bf35138ec9338b49af77beb42c3d6ec44d6901dd364fe7aac536e60dfcbfc", "type": "eql", "version": 2 }, "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": { - "min_stack_version": "8.3", "rule_name": "Remote SSH Login Enabled via systemsetup Command", "sha256": "b1baf6af7bac12181427143fe903673699b5df38a14f3a8617a90c981cf52058", "type": "query", "version": 106 }, "5aee924b-6ceb-4633-980e-1bde8cdb40c5": { - "min_stack_version": "8.3", "rule_name": "Potential Secure File Deletion via SDelete Utility", "sha256": "b6aed219192c8865a107b6529d4d67d837edb4ed446fb8d026683108c4fbcd30", "type": "eql", "version": 109 }, "5b03c9fb-9945-4d2f-9568-fd690fee3fba": { - "min_stack_version": "8.3", "rule_name": "Virtual Machine Fingerprinting", "sha256": "bfc51d0f01ccf26b16f823ba658b02bf6e682d0262d9dfe410d1c9cb06d859c2", "type": "query", "version": 108 }, "5b06a27f-ad72-4499-91db-0c69667bffa5": { - "min_stack_version": "8.3", "rule_name": "SUID/SGUID Enumeration Detected", "sha256": "9374dc2038bb7999021a8e926287cd2cda2bd1abfa06f2f01d0af8be01679b40", "type": "eql", "version": 5 }, "5b18eef4-842c-4b47-970f-f08d24004bde": { - "min_stack_version": "8.3", "rule_name": "Suspicious which Enumeration", "sha256": "ffbcf6b936ee4ef4c9b312ca9bb5da9d942f9a8680301b5f0debf394ad42c5fa", "type": "eql", "version": 5 }, "5b9eb30f-87d6-45f4-9289-2bf2024f0376": { - "min_stack_version": "8.3", "rule_name": "Potential Masquerading as Browser Process", "sha256": "bd50fb4c4b5ec6a4ebd52c50a505e5dc1fe75637d51ad57a0f0e79dff682aea5", "type": "eql", "version": 4 }, "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": { - "min_stack_version": "8.3", "rule_name": "Suspicious PrintSpooler Service Executable File Creation", "sha256": "2e72ae9c5ca64669617999cec691b8f282cbf159464363b5d821bdddd4edd5d3", "type": "eql", "version": 108 }, "5beaebc1-cc13-4bfc-9949-776f9e0dc318": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS WAF Rule or Rule Group Deletion", - "sha256": "353bb55da009500a46a3701adb0b1bb680c718959d2e5969960085c211562f98", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS WAF Rule or Rule Group Deletion", "sha256": "6c4d3ab01c67010c4dd017c06f34cc2bba3765dc79133e8d5ba8fb7ecd657aa0", "type": "query", @@ -3643,116 +2777,84 @@ "version": 2 }, "5c602cba-ae00-4488-845d-24de2b6d8055": { - "min_stack_version": "8.3", "rule_name": "PowerShell Script with Veeam Credential Access Capabilities", "sha256": "c0587692912a44911b8bcee6cdac91e78ac6b0129e9fbb395e8b9c0381312ad0", "type": "query", "version": 1 }, "5c6f4c58-b381-452a-8976-f1b1c6aa0def": { - "min_stack_version": "8.4", "rule_name": "FirstTime Seen Account Performing DCSync", "sha256": "efaf2b94fb44203864342cbbad263757cf61dfe7c9be647fe038694e810170f4", "type": "new_terms", "version": 10 }, "5c81fc9d-1eae-437f-ba07-268472967013": { - "min_stack_version": "8.3", "rule_name": "Segfault Detected", "sha256": "67588b53b3aa8fcb88b35baa601ae2d44b31ffc590864787f6a46c72bc5b4dc8", "type": "query", "version": 1 }, "5c895b4f-9133-4e68-9e23-59902175355c": { - "min_stack_version": "8.6", "rule_name": "Potential Meterpreter Reverse Shell", "sha256": "eba0d9a274b902396a98f70bf3464b3faba30514532b52d48f11de4f46572076", "type": "eql", "version": 6 }, "5c983105-4681-46c3-9890-0c66d05e776b": { - "min_stack_version": "8.3", "rule_name": "Unusual Linux Process Discovery Activity", "sha256": "e67ff82fd38ab4af435c7cd93dee29535aac33d0dca591dada0c896337e58380", "type": "machine_learning", "version": 103 }, "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": { - "min_stack_version": "8.3", "rule_name": "Potential Defense Evasion via PRoot", "sha256": "74391c2ea26988cdbabaf1fe4da29601278aaa13c64140b557c38e53265b33e4", "type": "eql", "version": 7 }, "5cd55388-a19c-47c7-8ec4-f41656c2fded": { - "min_stack_version": "8.3", "rule_name": "Outbound Scheduled Task Activity via PowerShell", "sha256": "63aa403181709c3d123a628bdd843aacbbc3fff0eca0f17fccf30788068d58ef", "type": "eql", "version": 108 }, "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": { - "min_stack_version": "8.3", "rule_name": "User Added to Privileged Group", "sha256": "b33d6cc34a4b101cc79bc0c7f84cb361bcd02e5318b2295a57ebf4505ef0824d", "type": "eql", "version": 109 }, "5cf6397e-eb91-4f31-8951-9f0eaa755a31": { - "min_stack_version": "8.3", "rule_name": "Persistence via PowerShell profile", "sha256": "63c2a0fb94471a31f7240d9055c159236c52f32dc1da1e3e4487dbf3479a6b60", "type": "eql", "version": 9 }, "5d0265bf-dea9-41a9-92ad-48a8dcd05080": { - "min_stack_version": "8.3", "rule_name": "Persistence via Login or Logout Hook", "sha256": "1c0e0922c06fa8aa81d5e8321d94552753e41e9f939f8cb35940afe5438945d8", "type": "eql", "version": 107 }, "5d1d6907-0747-4d5d-9b24-e4a18853dc0a": { - "min_stack_version": "8.3", "rule_name": "Suspicious Execution via Scheduled Task", "sha256": "4051d22fd7d1721a31073f7a8b1173bdced88d11e883da07bafb67030c11d4fd", "type": "eql", "version": 108 }, "5d9f8cfc-0d03-443e-a167-2b0597ce0965": { - "min_stack_version": "8.3", "rule_name": "Suspicious Automator Workflows Execution", "sha256": "8a91321d4c4824d08e1ec1d1f2db52ad985b859f4e5838169834aa4bbdfff906", "type": "eql", "version": 106 }, "5e161522-2545-11ed-ac47-f661ea17fbce": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 103, - "rule_name": "Google Workspace 2SV Policy Disabled", - "sha256": "ddbea6e8e6fead49ee6b7eb17b83de0996fdabfef882164c7f04a134f1438293", - "type": "query", - "version": 5 - } - }, "rule_name": "Google Workspace 2SV Policy Disabled", "sha256": "90ed7cc03c1d2f50cb22cde81cefe5234690d44b19be19c4b0029735fa3e4f3a", "type": "query", "version": 106 }, "5e552599-ddec-4e14-bad1-28aa42404388": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft 365 Teams Guest Access Enabled", - "sha256": "4e4a262b9c4e5ab8a6ad524df85e1f6b13bdcae8c45ccea1db5bb31e2acd028f", - "type": "query", - "version": 106 - } - }, "rule_name": "Microsoft 365 Teams Guest Access Enabled", "sha256": "92a0588bb516c3bf59cc84e1a9a07051d183c3a54df36ce698c176fe0a02d838", "type": "query", @@ -3772,58 +2874,42 @@ "version": 1 }, "5f2f463e-6997-478c-8405-fb41cc283281": { - "min_stack_version": "8.3", "rule_name": "Potential File Download via a Headless Browser", "sha256": "30c24a512438771d6de13cf9fbc3b909d451f6017b033ea015c1a99fc779f8b5", "type": "eql", "version": 1 }, "60884af6-f553-4a6c-af13-300047455491": { - "min_stack_version": "8.3", "rule_name": "Azure Command Execution on Virtual Machine", "sha256": "7e3e549fc0541f65e9d0ee9df09e5453f76574a9d8b90a03c5b8f905ebe6ce12", "type": "query", "version": 102 }, "60b6b72f-0fbc-47e7-9895-9ba7627a8b50": { - "min_stack_version": "8.3", "rule_name": "Azure Service Principal Addition", "sha256": "786b2ddb2ad2584581e0eeea78d24c23a5647d0a32680f1fa9625b6c06ebbda2", "type": "query", "version": 105 }, "60f3adec-1df9-4104-9c75-b97d9f078b25": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft 365 Exchange DLP Policy Removed", - "sha256": "0886a8d4f32a069d4f64c2559bfc5d527f4a2d24045aab00ae97f1de9ad9efb7", - "type": "query", - "version": 106 - } - }, "rule_name": "Microsoft 365 Exchange DLP Policy Removed", "sha256": "807f4b28328d1f7ad9211882227887a21f3d288a8ad35dd75b1e3578f37251e9", "type": "query", "version": 206 }, "610949a1-312f-4e04-bb55-3a79b8c95267": { - "min_stack_version": "8.3", "rule_name": "Unusual Process Network Connection", "sha256": "be0a23cd5db1b1e9744ba6f8cfcbf419e70e2759108952394b4fd53a17da615c", "type": "eql", "version": 108 }, "61336fe6-c043-4743-ab6e-41292f439603": { - "min_stack_version": "8.3", "rule_name": "New User Added To GitHub Organization", "sha256": "90e535bf6daf394c14fb7d463f3a44120bd3a7a8df82406b1481123c490c23e8", "type": "eql", "version": 1 }, "61766ef9-48a5-4247-ad74-3349de7eb2ad": { - "min_stack_version": "8.3", "rule_name": "Interactive Logon by an Unusual Process", "sha256": "371c92a53ff6fe2812871b685def6102afb58b89c536d718eb67344227d117d2", "type": "eql", @@ -3832,7 +2918,7 @@ "61ac3638-40a3-44b2-855a-985636ca985e": { "min_stack_version": "8.12", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 212, "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", "sha256": "9321d3196034baa0a52034b07bbccafb94712b2ff10a634a6a451b65d5c7a23e", @@ -3852,7 +2938,6 @@ "version": 100 }, "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": { - "min_stack_version": "8.3", "rule_name": "AdminSDHolder SDProp Exclusion Added", "sha256": "596066dff727c29d10294ff6d205113bf4bc37e185127d4586a4a53eb1ed9cb0", "type": "eql", @@ -3866,70 +2951,60 @@ "version": 1 }, "622ecb68-fa81-4601-90b5-f8cd661e4520": { - "min_stack_version": "8.3", "rule_name": "Incoming DCOM Lateral Movement via MSHTA", "sha256": "1c55d7f1db000719100662727934048ed282c6ca81a2401c68eb6de8edb1d08e", "type": "eql", "version": 107 }, "62a70f6f-3c37-43df-a556-f64fa475fba2": { - "min_stack_version": "8.3", "rule_name": "Account Configured with Never-Expiring Password", "sha256": "bff6971b2108d22178fe7e1ba59610ea438646b4c81a203c7c85e90f0b42b640", "type": "query", "version": 108 }, "62b68eb2-1e47-4da7-85b6-8f478db5b272": { - "min_stack_version": "8.3", "rule_name": "Potential Non-Standard Port HTTP/HTTPS connection", "sha256": "cda94f2b58b70076662143a46548455aa8e987cf042b4b051776a276aa0c495f", "type": "eql", "version": 4 }, "63c05204-339a-11ed-a261-0242ac120002": { - "min_stack_version": "8.4", "rule_name": "Kubernetes Suspicious Assignment of Controller Service Account", "sha256": "c3c4f5b5422708679b68f0f2fd71e860e9abfdc466e25b9cd35498d8a45cbdab", "type": "query", "version": 6 }, "63c056a0-339a-11ed-a261-0242ac120002": { - "min_stack_version": "8.4", "rule_name": "Kubernetes Denied Service Account Request", "sha256": "c04f7a46cbbd448139cfef70f2eaf9331faae7a4a1ab9a4a721463034e513e86", "type": "query", "version": 5 }, "63c057cc-339a-11ed-a261-0242ac120002": { - "min_stack_version": "8.4", "rule_name": "Kubernetes Anonymous Request Authorized", "sha256": "124c7243234a6880e622f6d2f811edd502e2406e6c96ad7066a7306794ced4fd", "type": "query", "version": 6 }, "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { - "min_stack_version": "8.3", "rule_name": "Network Connection via Signed Binary", "sha256": "a46c6b82143566c72c64c8288c549942594363613f856106a1b1e22b529caf49", "type": "eql", "version": 108 }, "647fc812-7996-4795-8869-9c4ea595fe88": { - "min_stack_version": "8.3", "rule_name": "Anomalous Process For a Linux Population", "sha256": "83b053309247f90ea7bda7f3c8e474257fe61dec3fc68d387888dc2da6ccf096", "type": "machine_learning", "version": 104 }, "6482255d-f468-45ea-a5b3-d3a7de1331ae": { - "min_stack_version": "8.3", "rule_name": "Modification of Safari Settings via Defaults Command", "sha256": "d6366ceb829546de9ee9785b9be89d03ee27409be5ce45526d3c6041f107f012", "type": "query", "version": 106 }, "64cfca9e-0f6f-4048-8251-9ec56a055e9e": { - "min_stack_version": "8.3", "rule_name": "Network Connection via Recently Compiled Executable", "sha256": "602b297ae58effa807f0bca106916c4f1902c7fa8f5c62bfd282b5b65de72f7b", "type": "eql", @@ -3942,58 +3017,42 @@ "version": 100 }, "65f9bccd-510b-40df-8263-334f03174fed": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 199, - "rule_name": "Kubernetes Exposed Service Created With Type NodePort", - "sha256": "c6cf6184bd1e4f3add0ac786022ed97b13163f8ef7278c905b94bcea8447509f", - "type": "query", - "version": 101 - } - }, "rule_name": "Kubernetes Exposed Service Created With Type NodePort", "sha256": "06a18e9f45ffe718b0156f37a7f5dc289078a2410a0e6ecb968b500a0e55378e", "type": "query", "version": 203 }, "661545b4-1a90-4f45-85ce-2ebd7c6a15d0": { - "min_stack_version": "8.3", "rule_name": "Attempt to Mount SMB Share via Command Line", "sha256": "2c9e3ab0668460f3f7e260f9353b575c300c84e6f8cded54fc5d21d659f4dbc4", "type": "eql", "version": 107 }, "6641a5af-fb7e-487a-adc4-9e6503365318": { - "min_stack_version": "8.5", "rule_name": "Suspicious Termination of ESXI Process", "sha256": "fded063447d8a8cf285be279a1620dacabff131d93f8fe4836a029e9fedf3ce2", "type": "eql", "version": 6 }, "665e7a4f-c58e-4fc6-bc83-87a7572670ac": { - "min_stack_version": "8.3", "rule_name": "WebServer Access Logs Deleted", "sha256": "3d487bb5d79f8850a52e52a4d8158c8d8fd68de886f1709be2af9495356e8977", "type": "eql", "version": 105 }, "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": { - "min_stack_version": "8.3", "rule_name": "Potential Successful Linux FTP Brute Force Attack Detected", "sha256": "9727c97648fb4b3afac9d4f9c9f0004fc5c2c23794cdd3be99f8df2b6ba1192a", "type": "eql", "version": 7 }, "66883649-f908-4a5b-a1e0-54090a1d3a32": { - "min_stack_version": "8.3", "rule_name": "Connection to Commonly Abused Web Services", "sha256": "fd8374f717cf2af735052c2e6070cf34a2f345ffc0817d3633deedef52e54e18", "type": "eql", "version": 113 }, "66c058f3-99f4-4d18-952b-43348f2577a0": { - "min_stack_version": "8.3", "rule_name": "Linux Process Hooking via GDB", "sha256": "fbf357ed1d47b111ab6c612f8c15fd075755ac177461906e07824d7a0df4061d", "type": "eql", @@ -4002,7 +3061,7 @@ "66da12b1-ac83-40eb-814c-07ed1d82b7b9": { "min_stack_version": "8.11", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 205, "rule_name": "Suspicious macOS MS Office Child Process", "sha256": "fa49c48190d30ef29a48b101b182660b4498f72ff588291a7c1121e01dc0d489", @@ -4016,7 +3075,6 @@ "version": 206 }, "670b3b5a-35e5-42db-bd36-6c5b9b4b7313": { - "min_stack_version": "8.3", "rule_name": "Modification of the msPKIAccountCredentials", "sha256": "9a207172558146d200bc0297376b645cc44023db1b7a8202a16c432936fad1ab", "type": "query", @@ -4025,7 +3083,7 @@ "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 205, "rule_name": "Attempt to Modify an Okta Policy", "sha256": "bcc00051e5ab5b70c88a4b1559e4edcff319d79f2bbe5bfcab404a3d63457d63", @@ -4039,16 +3097,6 @@ "version": 206 }, "675239ea-c1bc-4467-a6d3-b9e2cc7f676d": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "O365 Mailbox Audit Logging Bypass", - "sha256": "cac04714049b7a004fe00585d8cc3e351f442896feb07e367f5e3406853f595d", - "type": "query", - "version": 106 - } - }, "rule_name": "O365 Mailbox Audit Logging Bypass", "sha256": "a61d567175526ad5bc735b093f276d0725a0ca9784d8b72754091e0b9abf70bb", "type": "query", @@ -4057,7 +3105,7 @@ "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 205, "rule_name": "Attempt to Revoke Okta API Token", "sha256": "f58a59fe0d9f317a1998e97634f691d5f4b4b0dc6b79fc874df5f7b9185a9f93", @@ -4077,7 +3125,6 @@ "version": 100 }, "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": { - "min_stack_version": "8.3", "rule_name": "High Number of Process Terminations", "sha256": "d3bd89f023aef73df6cbe19662e02ef77275c87754f04ca44279e2d30f28c5b3", "type": "threshold", @@ -4090,23 +3137,12 @@ "version": 100 }, "6839c821-011d-43bd-bd5b-acff00257226": { - "min_stack_version": "8.3", "rule_name": "Image File Execution Options Injection", "sha256": "413e961dc4797bf3701be20c749258009705733592d081c9b030aed6a7b8e75c", "type": "eql", "version": 107 }, "684554fc-0777-47ce-8c9b-3d01f198d7f8": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "New or Modified Federation Domain", - "sha256": "c12b7d94ddd9ac7a54891cd86831775b8622d2c0681fcaf612e2842bed646cf6", - "type": "query", - "version": 106 - } - }, "rule_name": "New or Modified Federation Domain", "sha256": "0fad0589541a8950f5f88b2a261cb0045389b6c80956518f1a66aad4d72394a8", "type": "query", @@ -4115,7 +3151,7 @@ "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 204, "rule_name": "Okta ThreatInsight Threat Suspected Promotion", "sha256": "44208f997fe40e0ec5625789243073bee7f66e3d2be2ed117e69e6f9b6907a21", @@ -4129,252 +3165,162 @@ "version": 205 }, "68921d85-d0dc-48b3-865f-43291ca2c4f2": { - "min_stack_version": "8.3", "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", "sha256": "ca27a9f60eec10c769a8b530ccb040f0a6c4218b6af386a6daa5e6ffb6ca381f", "type": "eql", "version": 110 }, "68994a6c-c7ba-4e82-b476-26a26877adf6": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 203, - "rule_name": "Google Workspace Admin Role Assigned to a User", - "sha256": "a8a7d4e956c4cd2733f3d5e26871a367b937a0944420b3eaaca82370b8246a55", - "type": "query", - "version": 105 - } - }, "rule_name": "Google Workspace Admin Role Assigned to a User", "sha256": "6efdcc0936767be2538639bc2b7dfc028b4f7d02b590bbfac757314fcec9ce2a", "type": "query", "version": 206 }, "689b9d57-e4d5-4357-ad17-9c334609d79a": { - "min_stack_version": "8.3", "rule_name": "Scheduled Task Created by a Windows Script", "sha256": "9e2d92b09b248d78181d6b8283ed595c2560ea046d17365515a8e57f6cb1679c", "type": "eql", "version": 107 }, "68a7a5a5-a2fc-4a76-ba9f-26849de881b4": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "AWS CloudWatch Log Group Deletion", - "sha256": "2e8fdc6b595399328a680fc066469a0edae5a41684f4190a837deaa8adf32ae4", - "type": "query", - "version": 108 - } - }, "rule_name": "AWS CloudWatch Log Group Deletion", "sha256": "9cb4442436198c82ac0e0fefebd6627d23a5dcb0db8fc9088a51ab31fc9ea399", "type": "query", "version": 209 }, "68ad737b-f90a-4fe5-bda6-a68fa460044e": { - "min_stack_version": "8.3", "rule_name": "Suspicious Access to LDAP Attributes", "sha256": "307219345f44551ce020e8edcdc4a77f54cae4a0431f6fdd2dd7b9553c93519d", "type": "eql", "version": 1 }, "68d56fdc-7ffa-4419-8e95-81641bd6f845": { - "min_stack_version": "8.3", "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", "sha256": "0e58274266004591d50a31dccda8579c2e48897fecb54d3ff9aa6153e1b2f459", "type": "eql", "version": 109 }, "6951f15e-533c-4a60-8014-a3c3ab851a1b": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 104, - "rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", - "sha256": "1bcb655a06d0561e1f4f6e9466d148178ddf1edc310aa5b738f246db479c1afd", - "type": "query", - "version": 5 - } - }, "rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", "sha256": "6c3939d29a97cd2645ecc292c9f864da41ba0b3d159eec992c7ef6dec115d08e", "type": "query", "version": 106 }, "699e9fdb-b77c-4c01-995c-1c15019b9c43": { - "min_stack_version": "8.5", - "previous": { - "8.3": { - "max_allowable_version": 203, - "rule_name": "Threat Intel Filebeat Module (v8.x) Indicator Match", - "sha256": "32f01788e2000cbf97dfe76446aa173db05e8a73eac467ec634aec29072ba7e8", - "type": "threat_match", - "version": 105 - } - }, "rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match", "sha256": "323f4b02dcebb3ae76b6d959c325eb0da4b02ab1cf6d98b0437795dbcdd6eb85", "type": "threat_match", "version": 204 }, "69c251fb-a5d6-4035-b5ec-40438bd829ff": { - "min_stack_version": "8.3", "rule_name": "Modification of Boot Configuration", "sha256": "500524cf359e95ea7b5677b35a1d166b011fa0b33628d49b9e0ca3dcb7531525", "type": "eql", "version": 109 }, "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS IAM Password Recovery Requested", - "sha256": "d16a1105cf83086a436f452d32fd1564076c4a7425498c922ca33cdcd2246c17", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS IAM Password Recovery Requested", "sha256": "a1e54060fd73ea81b4a91323553b6cdec9bd5fb0b973ef8201983c73b45ac3df", "type": "query", "version": 206 }, "6a309864-fc3f-11ee-b8cc-f661ea17fbce": { - "min_stack_version": "8.9", "rule_name": "EC2 AMI Shared with Another Account", "sha256": "269a6ce9b13aedfce015a85a679e1a55ebf3974fdd7cb9b3c9f84411ed85cafc", "type": "query", "version": 1 }, "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": { - "min_stack_version": "8.3", "rule_name": "Unusual Service Host Child Process - Childless Service", "sha256": "0cbf30f69775dd636ba9c9be86e859682567566370db71ea6b1ebb0b4d69b38d", "type": "eql", "version": 110 }, "6aace640-e631-4870-ba8e-5fdda09325db": { - "min_stack_version": "8.3", "rule_name": "Exporting Exchange Mailbox via PowerShell", "sha256": "6fd173fa6170609a487f81b30491b79df555d458fe2738216aa9cd26b1bbc98f", "type": "eql", "version": 111 }, "6ace94ba-f02c-4d55-9f53-87d99b6f9af4": { - "min_stack_version": "8.3", "rule_name": "Suspicious Utility Launched via ProxyChains", "sha256": "d905f66dbe947bfcc9537eb0ce37abd9f10bf4effcffc43e454399feec107fb2", "type": "eql", "version": 7 }, "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Sensitive Files Compression", - "sha256": "271c0de47099ee8a5e049d68bf4d49801b884b81f673df03edceab970daebe19", - "type": "query", - "version": 106 - } - }, "rule_name": "Sensitive Files Compression", "sha256": "a50308d629258169646a68897f01fed70056c172b984b4d7b643f78da9835e50", "type": "new_terms", "version": 208 }, "6bed021a-0afb-461c-acbe-ffdb9574d3f3": { - "min_stack_version": "8.3", "rule_name": "Remote Computer Account DnsHostName Update", "sha256": "4a3308713c74898d9a52d894105c3a41556786008f169b725436c4dbc018ee99", "type": "eql", "version": 107 }, "6c6bb7ea-0636-44ca-b541-201478ef6b50": { - "min_stack_version": "8.8", "rule_name": "Container Management Utility Run Inside A Container", "sha256": "34ba8d894c34042f9a4c326daee9871fc209a1e209058b9f6a0f8ad30eeec04d", "type": "eql", "version": 2 }, "6cd1779c-560f-4b68-a8f1-11009b27fe63": { - "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", "sha256": "304d7c35a3c501afafb6d576d39db8a71ffa761de1d2e4ea5cf2ef4937b103ca", "type": "eql", "version": 108 }, "6cea88e4-6ce2-4238-9981-a54c140d6336": { - "min_stack_version": "8.3", "rule_name": "GitHub Repo Created", "sha256": "51c2e55a0721646f1d729d916086c9574f76dff3a8c826d5d3295432d0ed3b09", "type": "eql", "version": 1 }, "6d448b96-c922-4adb-b51c-b767f1ea5b76": { - "min_stack_version": "8.3", "rule_name": "Unusual Process For a Windows Host", "sha256": "f65a12afc06498c72c6fe35834ef48f2c6cee057748963b300cae83e7a411f78", "type": "machine_learning", "version": 107 }, "6d8685a1-94fa-4ef7-83de-59302e7c4ca8": { - "min_stack_version": "8.6", "rule_name": "Potential Privilege Escalation via CVE-2023-4911", "sha256": "43e59c39d821bf39fd6c407a1be82ae2dc2413f7e5cdf21020ca39f4579609c0", "type": "eql", "version": 4 }, "6e1a2cc4-d260-11ed-8829-f661ea17fbcc": { - "min_stack_version": "8.4", "rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution", "sha256": "296e88e08cfeb38dd5bfe7c3719ed7ce80f41022b51190abddbedacc66220afa", "type": "new_terms", "version": 5 }, "6e40d56f-5c0e-4ac6-aece-bee96645b172": { - "min_stack_version": "8.3", "rule_name": "Anomalous Process For a Windows Population", "sha256": "797cf8fc982536b11a0679348b4eca584db853de77646320ff0c146465196bcd", "type": "machine_learning", "version": 105 }, "6e9130a5-9be6-48e5-943a-9628bfc74b18": { - "min_stack_version": "8.3", "rule_name": "AdminSDHolder Backdoor", "sha256": "53f33d98ecca40d46328a7ff7593743ac0f62aefad6854a203355d59f240ece1", "type": "query", "version": 106 }, "6e9b351e-a531-4bdc-b73e-7034d6eed7ff": { - "min_stack_version": "8.7", - "previous": { - "8.3": { - "max_allowable_version": 206, - "rule_name": "Enumeration of Users or Groups via Built-in Commands", - "sha256": "6b4e00cd0749f89148010473d62893477290a0438ab07894e38b445ce10c7b3e", - "type": "eql", - "version": 107 - } - }, "rule_name": "Enumeration of Users or Groups via Built-in Commands", "sha256": "3eb0d320290f508310e7c0efbd51d6f2caa9acc4ca1879e192e0cc53658e62bd", "type": "eql", "version": 207 }, "6ea41894-66c3-4df7-ad6b-2c5074eb3df8": { - "min_stack_version": "8.3", "rule_name": "Potential Windows Error Manager Masquerading", "sha256": "f66c92e627ba4aabff1fb546ee38cbdf15e88ad11a4e5fc9059ba9be41db31f3", "type": "eql", "version": 108 }, "6ea55c81-e2ba-42f2-a134-bccf857ba922": { - "min_stack_version": "8.3", "rule_name": "Security Software Discovery using WMIC", "sha256": "191d08e949cb9f57e2853a307b82f336896da072f4dea0054f301ee50bebfd89", "type": "eql", @@ -4387,7 +3333,6 @@ "version": 100 }, "6ee947e9-de7e-4281-a55d-09289bdf947e": { - "min_stack_version": "8.3", "rule_name": "Potential Linux Tunneling and/or Port Forwarding", "sha256": "e7974fdba41cd2ce4d8ff22447cfab64cec739f3dd5bc0ab0749e92fc578bcf8", "type": "eql", @@ -4407,16 +3352,6 @@ "version": 1 }, "6f435062-b7fc-4af9-acea-5b1ead65c5a5": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 202, - "rule_name": "Google Workspace Role Modified", - "sha256": "8917dd169608ea491ef3f4c15d53b08aa6747b200e3b62a4bc22da3afb71fc9a", - "type": "query", - "version": 104 - } - }, "rule_name": "Google Workspace Role Modified", "sha256": "cc27c5d907038ca85c5d0c991e541013163f6fccc0bf95c84ac0b4ed62175081", "type": "query", @@ -4429,113 +3364,66 @@ "version": 100 }, "7024e2a0-315d-4334-bb1a-441c593e16ab": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "AWS CloudTrail Log Deleted", - "sha256": "e4aa3aadf0d7e757977d5c02a31cae6d4ece731bc3478fec172e92a10c8f3ee1", - "type": "query", - "version": 108 - } - }, "rule_name": "AWS CloudTrail Log Deleted", "sha256": "f23d0872d802001bbc030b70a5f6be00760eb331e2c1ea06a5e57d15d2e336c9", "type": "query", "version": 209 }, "7024e2a0-315d-4334-bb1a-552d604f27bc": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "AWS Config Resource Deletion", - "sha256": "e3f3358d38d5992c002d140012811e59a1ff80898107891dfbb67758d36adfc0", - "type": "query", - "version": 108 - } - }, "rule_name": "AWS Config Resource Deletion", "sha256": "9e3a32ce84c33e0a345a34c6f398fb54f346bd1d0683e6a1dc87f8957b4b140f", "type": "query", "version": 209 }, "708c9d92-22a3-4fe0-b6b9-1f861c55502d": { - "min_stack_version": "8.3", "rule_name": "Suspicious Execution via MSIEXEC", "sha256": "2b0a113e37d67649e6f11b5bf035ca1a3a6649ad4996a27b1e788651ae11b846", "type": "eql", "version": 2 }, "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": { - "min_stack_version": "8.3", "rule_name": "Persistence via WMI Standard Registry Provider", "sha256": "db796cbae0d063b4f1a54079e8f00e82b333a78701059a9a9962630dd48cc857", "type": "eql", "version": 108 }, "70fa1af4-27fd-4f26-bd03-50b6af6b9e24": { - "min_stack_version": "8.3", "rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", "sha256": "0ac39c7e21a70ea619a342065d004f5c51d563df631af84fa09a327437843b47", "type": "query", "version": 106 }, "7164081a-3930-11ed-a261-0242ac120002": { - "min_stack_version": "8.4", "rule_name": "Kubernetes Container Created with Excessive Linux Capabilities", "sha256": "86bf8bc61640a49c610c81cef5cb6bd417d85a5160637971eb56c908af7a3bec", "type": "query", "version": 4 }, "717f82c2-7741-4f9b-85b8-d06aeb853f4f": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 206, - "rule_name": "Modification of Dynamic Linker Preload Shared Object", - "sha256": "dc67793718c16d2d90d8be38bf310b0ce87c25f4e9c56a66f7a231b80d9922f0", - "type": "query", - "version": 107 - } - }, "rule_name": "Modification of Dynamic Linker Preload Shared Object", "sha256": "593012691955c843d367110658df0c195a220829f73a237e8fadc2d4b0ce1b40", "type": "new_terms", "version": 209 }, "71bccb61-e19b-452f-b104-79a60e546a95": { - "min_stack_version": "8.3", "rule_name": "Unusual File Creation - Alternate Data Stream", "sha256": "a3fdba9254d6e0decace5b3bbe34f7365bdb09fb0ab62ce49b0058dc63af0cbc", "type": "eql", "version": 114 }, "71c5cb27-eca5-4151-bb47-64bc3f883270": { - "min_stack_version": "8.3", "rule_name": "Suspicious RDP ActiveX Client Loaded", "sha256": "e9a9062beb0713d366bd638f7cf733c19ec8aed20b8603b3b0d460618a78aaa2", "type": "eql", "version": 109 }, "71d6a53d-abbd-40df-afee-c21fff6aafb0": { - "min_stack_version": "8.3", "rule_name": "Suspicious Passwd File Event Action", "sha256": "e030929c0ce21a679a3931586b3e70cecc18c849100b3ae52bc4374ca17cbcb2", "type": "eql", "version": 3 }, "721999d0-7ab2-44bf-b328-6e63367b9b29": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft 365 Potential ransomware activity", - "sha256": "065cd0cc51b5457baa9bc37901045907810e07d074eef16982399654fae10302", - "type": "query", - "version": 106 - } - }, "rule_name": "Microsoft 365 Potential ransomware activity", "sha256": "c4aa9e181be0c938309c1841f3a5de34116bfe2a8a734e1a92fd928af5ef644f", "type": "query", @@ -4544,7 +3432,7 @@ "729aa18d-06a6-41c7-b175-b65b739b1181": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 205, "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", "sha256": "c60bc906d469f3485ac3f4e2694f2ad9335dd69d76776d4a7604221cdc4bd77c", @@ -4564,21 +3452,18 @@ "version": 100 }, "72ed9140-fe9d-4a34-a026-75b50e484b17": { - "min_stack_version": "8.6", "rule_name": "Unusual Discovery Signal Alert with Unusual Process Executable", "sha256": "b904f25bf5bb414b7b11d0a216395926f40e0ee77abebc5f9b7d19b0e35837d9", "type": "new_terms", "version": 2 }, "730ed57d-ae0f-444f-af50-78708b57edd5": { - "min_stack_version": "8.3", "rule_name": "Suspicious JetBrains TeamCity Child Process", "sha256": "c9e084cfb0ca88c2cc8bfdeaeae122e26763a683878236cd17307ce5cabfe578", "type": "eql", "version": 1 }, "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { - "min_stack_version": "8.3", "rule_name": "Potential Modification of Accessibility Binaries", "sha256": "65d25ee5fe0482453ec857754eb6d2d3273c48bcef76cea6d9c3843f555d19eb", "type": "eql", @@ -4587,7 +3472,7 @@ "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": { "min_stack_version": "8.11", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 205, "rule_name": "Modification of Environment Variable via Launchctl", "sha256": "baaab449ef5b78ab10fc6dec249fb8d0f5ba0a06cd5c58df962d3b5c0683adeb", @@ -4601,232 +3486,168 @@ "version": 206 }, "745b0119-0560-43ba-860a-7235dd8cee8d": { - "min_stack_version": "8.3", "rule_name": "Unusual Hour for a User to Logon", "sha256": "8c8f1df8c5b78cb30de44700004958516615a323691d707eee2ed79b9a00424c", "type": "machine_learning", "version": 104 }, "746edc4c-c54c-49c6-97a1-651223819448": { - "min_stack_version": "8.3", "rule_name": "Unusual DNS Activity", "sha256": "b9ea779f9594e53247551940577acd651bc9971f972c085f9476e736de350577", "type": "machine_learning", "version": 103 }, "7592c127-89fb-4209-a8f6-f9944dfd7e02": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 102, - "rule_name": "Suspicious Sysctl File Event", - "sha256": "dc62f12237c63e7f170343cc5fcf2587a078f5af5e823d46e6545f8b11a01b90", - "type": "eql", - "version": 4 - } - }, "rule_name": "Suspicious Sysctl File Event", "sha256": "a98b507603e191d5d7b9018614f89020e94baf48aa9ab69666128517e8a282c8", "type": "new_terms", "version": 107 }, "75dcb176-a575-4e33-a020-4a52aaa1b593": { - "min_stack_version": "8.3", "rule_name": "Service Disabled via Registry Modification", "sha256": "3f012ac4ed80b6095b899a9a86d030257bd07875599655fa1d5ee4bb8297020a", "type": "eql", "version": 3 }, "75ee75d8-c180-481c-ba88-ee50129a6aef": { - "min_stack_version": "8.3", "rule_name": "Web Application Suspicious Activity: Unauthorized Method", "sha256": "6888bde4c516f00a56257eb9f46531d38dbadb83d316387c5e20af3390580961", "type": "query", "version": 102 }, "76152ca1-71d0-4003-9e37-0983e12832da": { - "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via Sudoers File Modification", "sha256": "6dfec898ca5b57352a078ff6ea65a0452985eeac88bb6ca491399544d57be902", "type": "query", "version": 103 }, "764c8437-a581-4537-8060-1fdb0e92c92d": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 199, - "rule_name": "Kubernetes Pod Created With HostIPC", - "sha256": "88a76082a0b05f8b848047174d1517f7746506e91ed2bb2d203255a52f38a8e2", - "type": "query", - "version": 101 - } - }, "rule_name": "Kubernetes Pod Created With HostIPC", "sha256": "beed3f7f4d2a86f155bd96e2903ded43fe8eb75d27f85650778e44bdf7e50982", "type": "query", "version": 203 }, "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": { - "min_stack_version": "8.3", "rule_name": "Access to a Sensitive LDAP Attribute", "sha256": "1ae31d3cb536669955d44bdf92b5c53dfd9868ad3ff5813fe8acee8502eecc41", "type": "eql", "version": 10 }, "766d3f91-3f12-448c-b65f-20123e9e9e8c": { - "min_stack_version": "8.3", "rule_name": "Creation of Hidden Shared Object File", "sha256": "a747be0c57d2283c6230586562f1c075efb7f2962fafced613f3b2c9fb64b8fa", "type": "eql", "version": 110 }, "76ddb638-abf7-42d5-be22-4a70b0bf7241": { - "min_stack_version": "8.3", "rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation", "sha256": "77deaf0de198677613cb4ea5ded34296802b16789afb9856cbe3114220f9e4fb", "type": "eql", "version": 106 }, "76e4d92b-61c1-4a95-ab61-5fd94179a1ee": { - "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Suspicious Child Process", "sha256": "6ac453ec6132c64b8a4ca261bc2a4effcf46f9bae6fcc34c97984064110e2953", "type": "eql", "version": 9 }, "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { - "min_stack_version": "8.3", "rule_name": "Potential Remote Desktop Tunneling Detected", "sha256": "7aa6802a0f3b68b47c51cf9c2bf2173bd894ec4c8c10b615109d165e50bdfb33", "type": "eql", "version": 110 }, "770e0c4d-b998-41e5-a62e-c7901fd7f470": { - "min_stack_version": "8.3", "rule_name": "Enumeration Command Spawned via WMIPrvSE", "sha256": "8ad7865bb2ea255f74f4010cbc3df77b3480c3878500abf1c5ebf0b7c924a7cf", "type": "eql", "version": 111 }, "774f5e28-7b75-4a58-b94e-41bf060fdd86": { - "min_stack_version": "8.3", "rule_name": "User Added as Owner for Azure Application", "sha256": "b88d2f1b89f2bbf51454db3706d1461b08147f31841aea42ee15726e4632fa26", "type": "query", "version": 102 }, "7787362c-90ff-4b1a-b313-8808b1020e64": { - "min_stack_version": "8.6", "rule_name": "UID Elevation from Previously Unknown Executable", "sha256": "2b60afa9037795b630f1d33a76fcd68f49f3c1ccf9b0da8445765575a2508534", "type": "new_terms", "version": 2 }, "77a3c3df-8ec4-4da4-b758-878f551dee69": { - "min_stack_version": "8.3", "rule_name": "Adversary Behavior - Detected - Elastic Endgame", "sha256": "0ec924f52296fef94948482d51b8d533eee0455bd3bce573fa522ee3d1c9997d", "type": "query", "version": 104 }, "781f8746-2180-4691-890c-4c96d11ca91d": { - "min_stack_version": "8.3", "rule_name": "Potential Network Sweep Detected", "sha256": "a076fa96b47fb15ed66e6f90750fdc91ac7f7cf9e496f47150eba1253dcbc6db", "type": "threshold", "version": 5 }, "785a404b-75aa-4ffd-8be5-3334a5a544dd": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 202, - "rule_name": "Application Added to Google Workspace Domain", - "sha256": "7fa64b656ada94baa0a8d76c00231f99bfd63f0925722bdfeb6528ff90cdef76", - "type": "query", - "version": 104 - } - }, "rule_name": "Application Added to Google Workspace Domain", "sha256": "ad5d0246eae8608a0868956eb3e4b6b36c94a4180a1194ca35da083d3264ecb6", "type": "query", "version": 205 }, "7882cebf-6cf1-4de3-9662-213aa13e8b80": { - "min_stack_version": "8.3", "rule_name": "Azure Privilege Identity Management Role Modified", "sha256": "26c5f67d4d0a686a2580c9991b656cf39bca2ec927dd297487125907f961585e", "type": "query", "version": 105 }, "78d3d8d9-b476-451d-a9e0-7a5addd70670": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "Spike in AWS Error Messages", - "sha256": "333cdaf4a1706f9d4a7935d233bb7a28147712b8edf36e3500c61433a2cbee57", - "type": "machine_learning", - "version": 108 - } - }, "rule_name": "Spike in AWS Error Messages", "sha256": "b9c3990fedf14024b1c9c83464350edfd9ebd517c53d2aacebbb3a848d9740f2", "type": "machine_learning", "version": 208 }, "78de1aeb-5225-4067-b8cc-f4a1de8a8546": { - "min_stack_version": "8.3", "rule_name": "Suspicious ScreenConnect Client Child Process", "sha256": "3a5b48b246dc6b94292ab3d37f29c9ee4894804983a6c4e75b67a8c520f24ef0", "type": "eql", "version": 1 }, "78e9b5d5-7c07-40a7-a591-3dbbf464c386": { - "min_stack_version": "8.3", "rule_name": "Suspicious File Renamed via SMB", "sha256": "fc6be263784c700668a9eb4f67231f1786f1750bc929af29d6655989375915c0", "type": "eql", "version": 1 }, "78ef0c95-9dc2-40ac-a8da-5deb6293a14e": { - "min_stack_version": "8.4", "rule_name": "Unsigned DLL Loaded by Svchost", "sha256": "693613eaf1e2584a9bc56d598ff28225091c888aa886521384faf26f2cc43a45", "type": "eql", "version": 6 }, "79124edf-30a8-4d48-95c4-11522cad94b1": { - "min_stack_version": "8.3", "rule_name": "File Compressed or Archived into Common Format", "sha256": "75b814ddab9122b2dde8034d1daadc9731ff977dce815207b7565aad49cda555", "type": "eql", "version": 4 }, "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": { - "min_stack_version": "8.3", "rule_name": "Azure Key Vault Modified", "sha256": "79a68677542c96b2d8a804e552e8de37560ab6f599a24f9b828d0b1dbbee1a87", "type": "query", "version": 103 }, "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47": { - "min_stack_version": "8.3", "rule_name": "Potential Masquerading as System32 Executable", "sha256": "a613c9495f4b8b1cd51df4eac684c578f26aceaa65e6d20faa875e280f3a0912", "type": "eql", "version": 4 }, "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": { - "min_stack_version": "8.3", "rule_name": "Potential File Transfer via Certreq", "sha256": "45f8eda9995222bc895d40fc9bab8fea41954def40702271c8a6b7af7bd09eef", "type": "eql", "version": 8 }, "79f97b31-480e-4e63-a7f4-ede42bf2c6de": { - "min_stack_version": "8.3", "rule_name": "Potential Shadow Credentials added to AD Object", "sha256": "696545e871e59971a9c77d60fb7f5cb25cbbec8a62cdf6fd167b9ec939efa675", "type": "query", @@ -4839,14 +3660,12 @@ "version": 100 }, "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": { - "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation through Writable Docker Socket", "sha256": "59ad5257e309d3192fd55374ef9be4e2d1d4ce96fe0c5e6c568e86d22e05f9a2", "type": "eql", "version": 5 }, "7afc6cc9-8800-4c7f-be6b-b688d2dea248": { - "min_stack_version": "8.3", "rule_name": "Potential Execution via XZBackdoor", "sha256": "3b5e1d6fe931166937ac8b2540f9f001897d52336750147eef0f13925a5f0c39", "type": "eql", @@ -4859,69 +3678,36 @@ "version": 100 }, "7b3da11a-60a2-412e-8aa7-011e1eb9ed47": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS ElastiCache Security Group Created", - "sha256": "388613f453ad59a0b5a1346925a88c2ea72963b1a7a4ba77f510bdb527a655a4", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS ElastiCache Security Group Created", "sha256": "eef0353fa501c11cf2bcd5a6676496b4500dd9131341d9cf1578d8a9d51234f4", "type": "query", "version": 206 }, "7b8bfc26-81d2-435e-965c-d722ee397ef1": { - "min_stack_version": "8.3", "rule_name": "Windows Network Enumeration", "sha256": "76d42ebe68f574a31fb590b3d96321d2e8d048306a8159b2f0b36be83255e855", "type": "eql", "version": 111 }, "7ba58110-ae13-439b-8192-357b0fcfa9d7": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Suspicious LSASS Access via MalSecLogon", - "sha256": "cfb5125f0705e215f8dc00f7a38fe7454cf24077181b6b9c70068c7e46fbadb6", - "type": "eql", - "version": 106 - } - }, "rule_name": "Suspicious LSASS Access via MalSecLogon", "sha256": "fa0f15538180301dcc99fb3677d8ac7ad2d789d612e23c816f0908956028b3c1", "type": "eql", "version": 208 }, "7bcbb3ac-e533-41ad-a612-d6c3bf666aba": { - "min_stack_version": "8.3", "rule_name": "Tampering of Shell Command-Line History", "sha256": "106aa939e4c87db6570ee327ed6ca3e7f889aca17a71e09044b0b8dc3bed815c", "type": "eql", "version": 105 }, "7caa8e60-2df0-11ed-b814-f661ea17fbce": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 103, - "rule_name": "Google Workspace Bitlocker Setting Disabled", - "sha256": "b7f72377e6e5c62220a4932b83c0343a304f9e32c6f8df1a2320f97dc666d857", - "type": "query", - "version": 5 - } - }, "rule_name": "Google Workspace Bitlocker Setting Disabled", "sha256": "d876e552704f399012a35ef8ccd37653e6278d558e9904d895f023110f987c55", "type": "query", "version": 106 }, "7ceb2216-47dd-4e64-9433-cddc99727623": { - "min_stack_version": "8.3", "rule_name": "GCP Service Account Creation", "sha256": "0c8a23dace5a96a836f6a55bbc9dc2e64550d584c98257f3b7dbbaaf0d79805c", "type": "query", @@ -4934,104 +3720,66 @@ "version": 100 }, "7dfaaa17-425c-4fe7-bd36-83705fde7c2b": { - "min_stack_version": "8.3", "rule_name": "Suspicious Kworker UID Elevation", "sha256": "1073dde211174d3099a9b8a21931bf6531d2343d6b44d98c0ceabeecc3f29e8a", "type": "eql", "version": 2 }, "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { - "min_stack_version": "8.3", "rule_name": "Suspicious WMIC XSL Script Execution", "sha256": "d375afba7884212b8fe34d5179603d5a9a7a16f14ec76a18f89032b8ca01d5e2", "type": "eql", "version": 109 }, "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 100, - "rule_name": "Discovery of Internet Capabilities via Built-in Tools", - "sha256": "a411322e3fd22e1fe67ca9c54dd4c5ecb965751365aebb4c0c9d7b4e3aa67a66", - "type": "eql", - "version": 1 - } - }, "rule_name": "Discovery of Internet Capabilities via Built-in Tools", "sha256": "94bb175873a51e3ec94a3d92aec15accba931a59b2ccbcf01c9317f8a3d571ee", "type": "new_terms", "version": 102 }, "7fb500fa-8e24-4bd1-9480-2a819352602c": { - "min_stack_version": "8.6", "rule_name": "New Systemd Timer Created", "sha256": "c5bf7a856bf289f0687f5916c01098906650541047b786e7a120cd6ec3fbb948", "type": "new_terms", "version": 9 }, "80084fa9-8677-4453-8680-b891d3c0c778": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 102, - "rule_name": "Enumeration of Kernel Modules via Proc", - "sha256": "e8cbeafae45cf6592034b68de6f2166705890d49c7a6e5821b387dfa6c535dc9", - "type": "eql", - "version": 4 - } - }, "rule_name": "Enumeration of Kernel Modules via Proc", "sha256": "a673dd1c8988721179c42b0b788a1b229fce05298dfe5664b54ca535750e4587", "type": "new_terms", "version": 106 }, "800e01be-a7a4-46d0-8de9-69f3c9582b44": { - "min_stack_version": "8.3", "rule_name": "Unusual Process Extension", "sha256": "f2022485ae73360b81a2da1364f674781461b179fb259d9734ada6dbe226720a", "type": "eql", "version": 4 }, "808291d3-e918-4a3a-86cd-73052a0c9bdc": { - "min_stack_version": "8.3", "rule_name": "Suspicious Troubleshooting Pack Cabinet Execution", "sha256": "237bea63ac52782481baf16b92d59c08e0e799105d378bec92197c4ad8fad8b4", "type": "eql", "version": 2 }, "809b70d3-e2c3-455e-af1b-2626a5a1a276": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "Unusual City For an AWS Command", - "sha256": "51f5b37af37f1f4ec180b1de7aac38ca7d77afc0e1f44dfe6122eb8605e3adab", - "type": "machine_learning", - "version": 108 - } - }, "rule_name": "Unusual City For an AWS Command", "sha256": "d6cbad92730cf10d62df532e09bfef35bca6439b7ff5b0f34337bdda6ab38199", "type": "machine_learning", "version": 208 }, "80c52164-c82a-402c-9964-852533d58be1": { - "min_stack_version": "8.3", "rule_name": "Process Injection - Detected - Elastic Endgame", "sha256": "42f01902665c666c45de8cafd9cc39c80ab4e28cf87c1e13caab844668cb70be", "type": "query", "version": 103 }, "814d96c7-2068-42aa-ba8e-fe0ddd565e2e": { - "min_stack_version": "8.9", "rule_name": "Unusual Remote File Extension", "sha256": "e5eeb038f9aa39433fcea8c9410b24a6a1337512da397d2818fc96f5698f767b", "type": "machine_learning", "version": 3 }, "818e23e6-2094-4f0e-8c01-22d30f3506c6": { - "min_stack_version": "8.3", "rule_name": "PowerShell Script Block Logging Disabled", "sha256": "93f0d3a27ec93093c91f59d6a1bcd1a34b1f007ff0304b857a730c1c6c35f186", "type": "eql", @@ -5046,7 +3794,7 @@ "81fe9dc6-a2d7-4192-a2d8-eed98afc766a": { "min_stack_version": "8.12", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 210, "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", "sha256": "b37f48d5442be42df0d2783a9a8c3a2aa4e791636a90f115ebc567ee730ba2de", @@ -5060,7 +3808,6 @@ "version": 211 }, "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": { - "min_stack_version": "8.3", "rule_name": "Temporarily Scheduled Task Creation", "sha256": "b9eb095355ecc02a827ca56e41a3ccd5fd5fff3c57c2f1a1e16e0f32082bcd46", "type": "eql", @@ -5069,7 +3816,7 @@ "827f8d8f-4117-4ae4-b551-f56d54b9da6b": { "min_stack_version": "8.11", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 206, "rule_name": "Apple Scripting Execution with Administrator Privileges", "sha256": "c86e89c5415c3f38817090bc99e25901d75e58b5f7387022f61bd609df89272a", @@ -5083,14 +3830,12 @@ "version": 207 }, "835c0622-114e-40b5-a346-f843ea5d01f1": { - "min_stack_version": "8.3", "rule_name": "Potential Linux Local Account Brute Force Detected", "sha256": "7951c32071a4f27cf235f88d6d4af14655a24aca293681878a970dc3e3973c1f", "type": "eql", "version": 6 }, "83a1931d-8136-46fc-b7b9-2db4f639e014": { - "min_stack_version": "8.3", "rule_name": "Azure Kubernetes Pods Deleted", "sha256": "8c0f9a8ac544e84262204d80e667c90f7e1a0be582cea5152e2d44926f4e72a9", "type": "query", @@ -5103,143 +3848,84 @@ "version": 100 }, "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": { - "min_stack_version": "8.3", "rule_name": "Attempt to Disable IPTables or Firewall", "sha256": "1814e77d691d41da88a1ba4c922ef445c031e653b86b5dd166f99cba587157f1", "type": "eql", "version": 7 }, "8446517c-f789-11ee-8ad0-f661ea17fbce": { - "min_stack_version": "8.3", "rule_name": "AWS EC2 Admin Credential Fetch via Assumed Role", "sha256": "ca0cdbc0af36d4bf4a78a1a5f82fca391580b9507566dd67dd281c61cd510c7a", "type": "new_terms", "version": 2 }, "846fe13f-6772-4c83-bd39-9d16d4ad1a81": { - "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Transport Agent Install Script", "sha256": "6c50456e5c405b545f31c8c93d71b2f1614b64bd732ca548127db4db6230c412", "type": "query", "version": 5 }, "84d1f8db-207f-45ab-a578-921d91c23eb2": { - "min_stack_version": "8.3", "rule_name": "Potential Upgrade of Non-interactive Shell", "sha256": "c13baf680022d32581c0780e31d4ade6009c93d1be12624a3d30060da764f759", "type": "eql", "version": 3 }, "84da2554-e12a-11ec-b896-f661ea17fbcd": { - "min_stack_version": "8.3", "rule_name": "Enumerating Domain Trusts via NLTEST.EXE", "sha256": "7a9ce57d7b2a5c723facc456a26c549cb5acacc09fe4844360c1af34366c0744", "type": "eql", "version": 110 }, "850d901a-2a3c-46c6-8b22-55398a01aad8": { - "min_stack_version": "8.3", "rule_name": "Potential Remote Credential Access via Registry", "sha256": "a0cd73a2f83a6c1f8fe970bb6a7fab8656fe9e3d8c51d5a9dda9efb1db69ba32", "type": "eql", "version": 111 }, "852c1f19-68e8-43a6-9dce-340771fe1be3": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "Suspicious PowerShell Engine ImageLoad", - "sha256": "765d2c6702b22d625ca9fac30e74684428f6d6a852dd200dff84851fe76dda47", - "type": "eql", - "version": 108 - } - }, "rule_name": "Suspicious PowerShell Engine ImageLoad", "sha256": "8fb4c5a6040d9edf0a32b6e6fd809d366eea096495438e323e148d684c871404", "type": "new_terms", "version": 210 }, "8623535c-1e17-44e1-aa97-7a0699c3037d": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS EC2 Network Access Control List Deletion", - "sha256": "196c1626443f797df1670e37fe56629d8da2a1b61087cac2f3fab49bd64b5113", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS EC2 Network Access Control List Deletion", "sha256": "4f9d972be95e23e9ad2c127a00b66165c3f6c1105dcfef9a0e85a70d2d22b006", "type": "query", "version": 206 }, "863cdf31-7fd3-41cf-a185-681237ea277b": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS RDS Security Group Deletion", - "sha256": "f46878044473b51688032f8944026be841032d83fbab53ebccb6f3bd1056f1a7", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS RDS Security Group Deletion", "sha256": "3815b7cf0e4aeef5cd0350a18c0f8a1f751b8c21d728875a7268a075a70e2ad9", "type": "query", "version": 206 }, "867616ec-41e5-4edc-ada2-ab13ab45de8a": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS IAM Group Deletion", - "sha256": "950ae30d904242ba798eb1658f1e238720d404743585e155f030dda45d0e05f6", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS IAM Group Deletion", "sha256": "b52937ff4f6af1e5ccf8b52bf8d378468fdac5dfd53a8b3217833c005c5fa781", "type": "query", "version": 206 }, "86c3157c-a951-4a4f-989b-2f0d0f1f9518": { - "min_stack_version": "8.3", "rule_name": "Potential Linux Reverse Connection through Port Knocking", "sha256": "b4f46ff74a8794d66683aa38de698de5e35a091b48d03ffa0d9181a578899ddc", "type": "eql", "version": 1 }, "870aecc0-cea4-4110-af3f-e02e9b373655": { - "min_stack_version": "8.3", "rule_name": "Security Software Discovery via Grep", "sha256": "de3ae123fbc7d0cb0596b3c5cc6467fdf51f545053665c4f5afdeb758983bc76", "type": "eql", "version": 109 }, "871ea072-1b71-4def-b016-6278b505138d": { - "min_stack_version": "8.3", "rule_name": "Enumeration of Administrator Accounts", "sha256": "6a87be3b93e4a75c3dbfeba82b7aaa420dd43f042ec1bc9641d5649f8f6850b5", "type": "eql", "version": 112 }, "87594192-4539-4bc4-8543-23bc3d5bd2b4": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS EventBridge Rule Disabled or Deleted", - "sha256": "81d56536a960fa83385df001b8186c6a129128d000278be5586476a6d4b9e19b", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS EventBridge Rule Disabled or Deleted", "sha256": "2a49cf8319bd2a5a16d2286014217d41ffe4680b5e7a367b131ebf7124853339", "type": "query", @@ -5252,53 +3938,30 @@ "version": 100 }, "884e87cc-c67b-4c90-a4ed-e1e24a940c82": { - "min_stack_version": "8.6", "rule_name": "Potential Suspicious Clipboard Activity Detected", "sha256": "0177e89bdd890b3651f0d3bc7bb08aa7a71cc97d95e6f965d2131a132599a839", "type": "new_terms", "version": 4 }, "88671231-6626-4e1b-abb7-6e361a171fbb": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft 365 Global Administrator Role Assigned", - "sha256": "bb6703bc49a5b12297b62e2aa1b7a9e5f01ce6108eabbd1d541ec655dd35ac50", - "type": "query", - "version": 106 - } - }, "rule_name": "Microsoft 365 Global Administrator Role Assigned", "sha256": "1bc2ee513c9a3702d258107ccaa36ce6f728f37804a83afe41ec0386f3386f66", "type": "query", "version": 206 }, "88817a33-60d3-411f-ba79-7c905d865b2a": { - "min_stack_version": "8.3", "rule_name": "Sublime Plugin or Application Script Modification", "sha256": "e1e70345125002f7b837c9c87a54b449497d0b8a5d4f32f30e24b28185445925", "type": "eql", "version": 107 }, "88fdcb8c-60e5-46ee-9206-2663adf1b1ce": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 102, - "rule_name": "Potential Sudo Hijacking Detected", - "sha256": "28eba13edb2d9454c08d86938d6bf41ed614c2c32879ec8719cd571c0c9cbef5", - "type": "eql", - "version": 3 - } - }, "rule_name": "Potential Sudo Hijacking Detected", "sha256": "3d49290bdfa2269196ce840768887b0c20588d07f406eef1f33e10c6117246e0", "type": "new_terms", "version": 105 }, "891cb88e-441a-4c3e-be2d-120d99fe7b0d": { - "min_stack_version": "8.3", "rule_name": "Suspicious WMI Image Load from MS Office", "sha256": "ce3fa8639f8be47fdbd516d085eb1359d5c76c41cc11e38b92a58495b3340443", "type": "eql", @@ -5311,28 +3974,24 @@ "version": 100 }, "897dc6b5-b39f-432a-8d75-d3730d50c782": { - "min_stack_version": "8.3", "rule_name": "Kerberos Traffic from Unusual Process", "sha256": "2013e3e6c582953aa80b60a4839fd4a71480f61227c7c5eea6a58e6835031b50", "type": "eql", "version": 110 }, "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { - "min_stack_version": "8.3", "rule_name": "Command Prompt Network Connection", "sha256": "85227491b3d44bf45d31d60e2dd5bfe543b04cc13549ad5abd43164d69fbe271", "type": "eql", "version": 108 }, "89fa6cb7-6b53-4de2-b604-648488841ab8": { - "min_stack_version": "8.3", "rule_name": "Persistence via DirectoryService Plugin Modification", "sha256": "7e7bfe7e3320055b9e14c1193bb2f5ecf812a4611d29fb12f0f07137bb6dd03b", "type": "query", "version": 106 }, "8a024633-c444-45c0-a4fe-78128d8c1ab6": { - "min_stack_version": "8.3", "rule_name": "Suspicious Symbolic Link Created", "sha256": "6041852ef2da176bb02a69879e30441c9842802e2b5e06678aaca5653322cf32", "type": "eql", @@ -5346,21 +4005,18 @@ "version": 3 }, "8a0fd93a-7df8-410d-8808-4cc5e340f2b9": { - "min_stack_version": "8.3", "rule_name": "GitHub PAT Access Revoked", "sha256": "2da8385cb4225c3a080f85def407322ed423d41cdeaec25622ddcced2bad28a4", "type": "eql", "version": 1 }, "8a1b0278-0f9a-487d-96bd-d4833298e87a": { - "min_stack_version": "8.3", "rule_name": "Setuid / Setgid Bit Set via chmod", "sha256": "9c15ba48b9d09639823c4d9695769a98190668b5a82f91664552b3a1d00134d5", "type": "query", "version": 103 }, "8a1d4831-3ce6-4859-9891-28931fa6101d": { - "min_stack_version": "8.3", "rule_name": "Suspicious Execution from a Mounted Device", "sha256": "78673e3f95e690470a888733b99665c1ceb566b839d08ffa96c74f670db2afb3", "type": "eql", @@ -5369,7 +4025,7 @@ "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 205, "rule_name": "Attempt to Deactivate an Okta Network Zone", "sha256": "f01b127b08601cf43cda877946ee97bf4bc51e4cff8f27b3e3dc4a809a3bf009", @@ -5383,149 +4039,120 @@ "version": 206 }, "8acb7614-1d92-4359-bfcf-478b6d9de150": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "Suspicious JAVA Child Process", - "sha256": "c0f26a306606e4329dc19352d7f927e70467ccc86747f18345aefcf194110e16", - "type": "eql", - "version": 105 - } - }, "rule_name": "Suspicious JAVA Child Process", "sha256": "c73d3fa21849f702bf7a08d4182ce1e62bbf2096eef54418fd5faf94e042da75", "type": "new_terms", "version": 208 }, "8af5b42f-8d74-48c8-a8d0-6d14b4197288": { - "min_stack_version": "8.3", "rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287", "sha256": "9f1d8eb4a1676be7fbf66706cbd1e8a9eec262049a93bfc3e771c3d33033f140", "type": "eql", "version": 4 }, "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { - "min_stack_version": "8.3", "rule_name": "Executable File Creation with Multiple Extensions", "sha256": "bccda8eb5129b06f4f741772f5096f1be5c8365b976b07a61c32e442f9138298", "type": "eql", "version": 108 }, "8b4f0816-6a65-4630-86a6-c21c179c0d09": { - "min_stack_version": "8.3", "rule_name": "Enable Host Network Discovery via Netsh", "sha256": "78eb240c8eeeb4d9df8d9454ba4f91306bbffcdf8b395c3a62c87009f89504de", "type": "eql", "version": 109 }, "8b64d36a-1307-4b2e-a77b-a0027e4d27c8": { - "min_stack_version": "8.3", "rule_name": "Azure Kubernetes Events Deleted", "sha256": "8a4def186433798cec337c4f9e6b8b1ac62a38ad3789dd570670d22444e74fb9", "type": "query", "version": 102 }, "8c1bdde8-4204-45c0-9e0c-c85ca3902488": { - "min_stack_version": "8.3", "rule_name": "RDP (Remote Desktop Protocol) from the Internet", "sha256": "97a0561922556e3ced27828faed777dc5a0ab1da7843bfef7c19929702a26f4b", "type": "query", "version": 103 }, "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": { - "min_stack_version": "8.3", "rule_name": "Unusual Child Process of dns.exe", "sha256": "a6ecf9a561d41bac0bb75fbf33f868dc71ed4fc5e07f914780fd73c29dcdb1ba", "type": "eql", "version": 110 }, "8c81e506-6e82-4884-9b9a-75d3d252f967": { - "min_stack_version": "8.3", "rule_name": "Potential SharpRDP Behavior", "sha256": "133e1acd35b1b06ce036bf672f04203863a4f2e1c535cc722321f198d71bffda", "type": "eql", "version": 106 }, "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": { - "min_stack_version": "8.3", "rule_name": "Ransomware - Detected - Elastic Endgame", "sha256": "b84c5e839efdbf68fe7169726ffe8ce015b356dfe0ea25b276db55b22b85d8f2", "type": "query", "version": 103 }, "8cb84371-d053-4f4f-bce0-c74990e28f28": { - "min_stack_version": "8.3", "rule_name": "Potential Successful SSH Brute Force Attack", "sha256": "eb0397acce03ec5fcb5a10ba7467e1b55e0f73f4a401dfe97878133f487f4483", "type": "eql", "version": 11 }, "8d366588-cbd6-43ba-95b4-0971c3f906e5": { - "min_stack_version": "8.3", "rule_name": "File with Suspicious Extension Downloaded", "sha256": "c9d44fd0d41abacd96c54ff4dc4f7a22c34b77b8c64245a7856f8ea12ed3d0b0", "type": "eql", "version": 3 }, "8d3d0794-c776-476b-8674-ee2e685f6470": { - "min_stack_version": "8.8", "rule_name": "Suspicious Interactive Shell Spawned From Inside A Container", "sha256": "98d9856fbf5ecafe5dad0a89fd9c9d5281e1c02fee5b91a84b352c727f87441e", "type": "eql", "version": 2 }, "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": { - "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via PKEXEC", "sha256": "a9c592609916001eeb489115d3ab416659f25485e68e33061d9b0e8903972698", "type": "eql", "version": 108 }, "8ddab73b-3d15-4e5d-9413-47f05553c1d7": { - "min_stack_version": "8.3", "rule_name": "Azure Automation Runbook Deleted", "sha256": "6c88b863fccfcdd4aa41e1c790530f97914dc652a10e9121e26a28194746179c", "type": "query", "version": 102 }, "8e39f54e-910b-4adb-a87e-494fbba5fb65": { - "min_stack_version": "8.3", "rule_name": "Potential Outgoing RDP Connection by Unusual Process", "sha256": "e724d32f7d8923ac1608a48ba78404bda59c6db4b1475a392ad766f4e0853459", "type": "eql", "version": 3 }, "8eec4df1-4b4b-4502-b6c3-c788714604c9": { - "min_stack_version": "8.3", "rule_name": "Bitsadmin Activity", "sha256": "39ca4c3ed7500f428501bf32d7b5361c687e94b712b9d7742406bb4c804bb53b", "type": "eql", "version": 2 }, "8f242ffb-b191-4803-90ec-0f19942e17fd": { - "min_stack_version": "8.3", "rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation", "sha256": "60451d80b47ef91bfe8095934b32b4899ae705a33e3df155894a58dc67c97ce6", "type": "eql", "version": 1 }, "8f3e91c7-d791-4704-80a1-42c160d7aa27": { - "min_stack_version": "8.3", "rule_name": "Potential Port Monitor or Print Processor Registration Abuse", "sha256": "bb44b0120653077a52d8fbfb935aa73998db23fe25b3c188024f3a96b09b8e4c", "type": "eql", "version": 106 }, "8f919d4b-a5af-47ca-a594-6be59cd924a4": { - "min_stack_version": "8.3", "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", "sha256": "feec1ce2bdf4dbddf251d9f16a07f5123eb30116c1ee43415fafe3390499db68", "type": "eql", "version": 107 }, "8fb75dda-c47a-4e34-8ecd-34facf7aad13": { - "min_stack_version": "8.3", "rule_name": "GCP Service Account Deletion", "sha256": "3c8184358856969e1362e374b7c72a678a3df1dc9ae082111b0ba80d01a44dcb", "type": "query", @@ -5538,37 +4165,24 @@ "version": 100 }, "90169566-2260-4824-b8e4-8615c3b4ed52": { - "min_stack_version": "8.3", "rule_name": "Hping Process Activity", "sha256": "59016f24c9fb4a9e0120058222b3dccfbc94b5d0316a6762207a6eb3fc312a0c", "type": "eql", "version": 108 }, "9055ece6-2689-4224-a0e0-b04881e1f8ad": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS Deletion of RDS Instance or Cluster", - "sha256": "637b97f8e4d2c60b80d6427cd89d111d077543e2103cb3a96f9e35e577bd9caa", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS Deletion of RDS Instance or Cluster", "sha256": "123109fe70f635c2d9a5bae3df07789309b38a6d09b1d892aa2df1bdba5ad241", "type": "query", "version": 206 }, "9092cd6c-650f-4fa3-8a8a-28256c7489c9": { - "min_stack_version": "8.3", "rule_name": "Keychain Password Retrieval via Command Line", "sha256": "d0daaa99eff7d2f0f8a96916e7c4220209cc9015faebc9be56268cf601ac36b3", "type": "eql", "version": 108 }, "90babaa8-5216-4568-992d-d4a01a105d98": { - "min_stack_version": "8.3", "rule_name": "InstallUtil Activity", "sha256": "b3e654521bd77a07433f951786a8b37f3f4bb9ef9459f8cbfd080af927ebf5f9", "type": "eql", @@ -5581,51 +4195,36 @@ "version": 100 }, "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": { - "min_stack_version": "8.3", "rule_name": "GCP Virtual Private Cloud Route Creation", "sha256": "ef3f13ea53f5eeca327dcdcd4a456b5375942dc90208cc6bced56c5c208eeb79", "type": "query", "version": 104 }, "91d04cd4-47a9-4334-ab14-084abe274d49": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS WAF Access Control List Deletion", - "sha256": "4d59ddb17973a139d9be0a601ce33dda6071ea802724f0bd0333d7db8722280c", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS WAF Access Control List Deletion", "sha256": "7bcb7719e201f748986a026ff97c52bfce72b11730f1c15a39516be29c7fe7a1", "type": "query", "version": 206 }, "91f02f01-969f-4167-8d77-07827ac4cee0": { - "min_stack_version": "8.3", "rule_name": "Unusual Web User Agent", "sha256": "085e5fd9bc868b88d70882d6ff9ad8cd88277bde6a5536d032d204050b191347", "type": "machine_learning", "version": 103 }, "91f02f01-969f-4167-8f55-07827ac3acc9": { - "min_stack_version": "8.3", "rule_name": "Unusual Web Request", "sha256": "ca0f4d650120d7af5f5c1b882104229c33beac3e20991c9c22403a8a79b89ae1", "type": "machine_learning", "version": 103 }, "91f02f01-969f-4167-8f66-07827ac3bdd9": { - "min_stack_version": "8.3", "rule_name": "DNS Tunneling", "sha256": "30ea79771106d5283bb2b93e9376e9b56ebb99c37ef021f485fdc2ea17c783ea", "type": "machine_learning", "version": 103 }, "929223b4-fba3-4a1c-a943-ec4716ad23ec": { - "min_stack_version": "8.3", "rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account", "sha256": "dfae7535f5caafed8358bc16a68a6a501122ec05eae29c1f291da2416cad5ca9", "type": "threshold", @@ -5634,7 +4233,7 @@ "92984446-aefb-4d5e-ad12-598042ca80ba": { "min_stack_version": "8.12", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 107, "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", "sha256": "2f82ee830e43259016d4adf959d1c08b65e5c44f66accebde1c7a3aece556548", @@ -5648,173 +4247,102 @@ "version": 108 }, "92a6faf5-78ec-4e25-bea1-73bacc9b59d9": { - "min_stack_version": "8.3", "rule_name": "A scheduled task was created", "sha256": "d54ac464d0549dec4468d4706dfce032e2e8bed176f5ece56f3c6430378aff76", "type": "eql", "version": 8 }, "92d3a04e-6487-4b62-892d-70e640a590dc": { - "min_stack_version": "8.3", "rule_name": "Potential Evasion via Windows Filtering Platform", "sha256": "1985305e54165a73be2bdfd8d6de615ed21edde213a17f11911f0a25cdd28c0c", "type": "eql", "version": 3 }, "93075852-b0f5-4b8b-89c3-a226efae5726": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS Security Token Service (STS) AssumeRole Usage", - "sha256": "2e6053408cd8709eca1ec8f67f1435cba0deae2486a175e0943f710e9ee4e2b3", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS Security Token Service (STS) AssumeRole Usage", "sha256": "b0f5b4e396353924df242d69030559c5fd2dab01d092d3573750a4611ce59860", "type": "query", "version": 206 }, "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 202, - "rule_name": "Sudoers File Modification", - "sha256": "61b18d5eee007e352b11ee5d0b8cd560ef127b7ca4a6704381e1b1f0bfe6e1ef", - "type": "query", - "version": 103 - } - }, "rule_name": "Sudoers File Modification", "sha256": "f4d948d4c06ecb8fae9ce5be98bc19d8200ccb0e271913c4b2c41c01a45233b2", "type": "new_terms", "version": 204 }, "9395fd2c-9947-4472-86ef-4aceb2f7e872": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "AWS VPC Flow Logs Deletion", - "sha256": "f3c39ae72c93e6c08f938d780fc70f56119ce17eb3ef31cf7645331efed700c3", - "type": "query", - "version": 108 - } - }, "rule_name": "AWS VPC Flow Logs Deletion", "sha256": "25e4d08e828c9f763d9f42004a1d8bb865f62993bd8f235e95fc5513208e03a6", "type": "query", "version": 209 }, "93b22c0a-06a0-4131-b830-b10d5e166ff4": { - "min_stack_version": "8.3", "rule_name": "Suspicious SolarWinds Child Process", "sha256": "6f65d57f4b54ada16ae7a6bf781a64d84a83409df693cadbcf9a736633154606", "type": "eql", "version": 110 }, "93c1ce76-494c-4f01-8167-35edfb52f7b1": { - "min_stack_version": "8.3", "rule_name": "Encoded Executable Stored in the Registry", "sha256": "d3a171c7ed51757d8f3f02d63a51e5a37f3a6d639b0766a24c42f22c01c87851", "type": "eql", "version": 107 }, "93e63c3e-4154-4fc6-9f86-b411e0987bbf": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 202, - "rule_name": "Google Workspace Admin Role Deletion", - "sha256": "723578f77b081beb3b8a8da703208e1279aa15eba410de837d67b390c4334bbe", - "type": "query", - "version": 104 - } - }, "rule_name": "Google Workspace Admin Role Deletion", "sha256": "cab219f6e8b4ccaf91b7f6190f1d098c08ddc5b898d2e1566965ba6039a72657", "type": "query", "version": 205 }, "93f47b6f-5728-4004-ba00-625083b3dcb0": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 203, - "rule_name": "Modification of Standard Authentication Module or Configuration", - "sha256": "db86c17797a8d52db5ea04999393ce5c37395cc6a46b34ec1cd0da3f02d0435f", - "type": "query", - "version": 104 - } - }, "rule_name": "Modification of Standard Authentication Module or Configuration", "sha256": "1e01d9186d48db4667fa030761b3f63e12f70737f7fb423eb05d385ad1e6db30", "type": "new_terms", "version": 204 }, "947827c6-9ed6-4dec-903e-c856c86e72f3": { - "min_stack_version": "8.3", "rule_name": "Creation of Kernel Module", "sha256": "567ba4167bba7fcade95c2541b715738b5656e11712923c258d65bf3dc1dd533", "type": "eql", "version": 3 }, "94a401ba-4fa2-455c-b7ae-b6e037afc0b7": { - "min_stack_version": "8.3", "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", "sha256": "31677cdb4cb00d90106a66e1b086ad61ada306117acf7b0af9e17d13a96b91f0", "type": "eql", "version": 8 }, "9510add4-3392-11ed-bd01-f661ea17fbce": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 103, - "rule_name": "Google Workspace Custom Gmail Route Created or Modified", - "sha256": "0c7bcbc73caec8df64f6e5d9c2430357baaef7371ef1f47b25b5f5bd7f6edf7f", - "type": "query", - "version": 5 - } - }, "rule_name": "Google Workspace Custom Gmail Route Created or Modified", "sha256": "13c2c8915478dad932a8b2375537e1960622c8dde7a6ac83375802a12c539fe1", "type": "query", "version": 106 }, "951779c2-82ad-4a6c-82b8-296c1f691449": { - "min_stack_version": "8.3", "rule_name": "Potential PowerShell Pass-the-Hash/Relay Script", "sha256": "7675d578e4dd24bc57bd2bbf670bfc9415f87ba8a2f3ddf8e8a7c00d3641d5f6", "type": "query", "version": 1 }, "954ee7c8-5437-49ae-b2d6-2960883898e9": { - "min_stack_version": "8.3", "rule_name": "Remote Scheduled Task Creation", "sha256": "efc5bf9425039882bd50862795a48859ffe194bee570ae43e2268a9fbea9fe80", "type": "eql", "version": 108 }, "959a7353-1129-4aa7-9084-30746b256a70": { - "min_stack_version": "8.3", "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", "sha256": "ec182387ccb79ee33c05281674fdc60fea9112866634a0782d814363c238711c", "type": "query", "version": 108 }, "9661ed8b-001c-40dc-a777-0983b7b0c91a": { - "min_stack_version": "8.8", "rule_name": "Sensitive Keys Or Passwords Searched For Inside A Container", "sha256": "54b3d3c9b093b147b2a9544592815de34c26f37b971ca155743f92fafcd674b9", "type": "eql", "version": 2 }, "968ccab9-da51-4a87-9ce2-d3c9782fd759": { - "min_stack_version": "8.3", "rule_name": "File made Immutable by Chattr", "sha256": "c2d2cfe2f74f7c4a8901ab56d95245ba900ce8e18c828bf0a2ad894b6260731e", "type": "eql", @@ -5823,7 +4351,7 @@ "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 204, "rule_name": "Attempt to Create Okta API Token", "sha256": "14b3f9e9b5e605ca66fa3d7115e312ba72ced80772e0d51928496be9202b6353", @@ -5837,53 +4365,30 @@ "version": 205 }, "96d11d31-9a79-480f-8401-da28b194608f": { - "min_stack_version": "8.6", "rule_name": "Potential Persistence Through MOTD File Creation Detected", "sha256": "bc9916d1a1cd785c77d6f24073b3b607cdcefc196480e1f09e5e734866ac7fb1", "type": "new_terms", "version": 9 }, "96e90768-c3b7-4df6-b5d9-6237f8bc36a8": { - "min_stack_version": "8.7", - "previous": { - "8.3": { - "max_allowable_version": 206, - "rule_name": "Access to Keychain Credentials Directories", - "sha256": "2860753d4532b37b174d6b8e3e1314b0a7a0b3f54b74a7899205e53bacbae0de", - "type": "eql", - "version": 107 - } - }, "rule_name": "Access to Keychain Credentials Directories", "sha256": "a4bde834d3628dca2daee592ed3741c7ccd55a25840f58603fdccb98e7368d63", "type": "eql", "version": 207 }, "97020e61-e591-4191-8a3b-2861a2b887cd": { - "min_stack_version": "8.3", "rule_name": "SeDebugPrivilege Enabled by a Suspicious Process", "sha256": "a3cff32c0bdbd78533b034070c4a270116087312c08ff8511d9bfd520be44f36", "type": "eql", "version": 7 }, "97314185-2568-4561-ae81-f3e480e5e695": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification", - "sha256": "5e3900d8aa0de4868a0980ccd44983433b4f857bddf099cf73275a57e5145c8f", - "type": "query", - "version": 106 - } - }, "rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification", "sha256": "9c1981f0822634de6f020d5301b100c703d19724dd486e288398596ff23b18e6", "type": "query", "version": 206 }, "97359fd8-757d-4b1d-9af1-ef29e4a8680e": { - "min_stack_version": "8.3", "rule_name": "GCP Storage Bucket Configuration Modification", "sha256": "8898fb2725e12947da9bb2c12a300e9093f6eef9c309b3ff30af48d018501dd6", "type": "query", @@ -5897,16 +4402,6 @@ "version": 1 }, "979729e7-0c52-4c4c-b71e-88103304a79f": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS SAML Activity", - "sha256": "5ccb2e9205c690a15eeb580f91fbced1746f6a12cd487ec983e1bdb8b5f7b33d", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS SAML Activity", "sha256": "37af41b152c5085758547bee67d9f0387f5f07fcba690c925338905f100cc43d", "type": "query", @@ -5915,7 +4410,7 @@ "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 206, "rule_name": "Potential Abuse of Repeated MFA Push Notifications", "sha256": "c65175629b87978771837a807d4ff8b51d3ae081548603d49475754979b246b4", @@ -5929,7 +4424,6 @@ "version": 209 }, "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { - "min_stack_version": "8.3", "rule_name": "Suspicious Zoom Child Process", "sha256": "5cefb7cdb856211a9d1070aa4ef9637c41633768b6b8b4d92c520b3d0544b976", "type": "eql", @@ -5942,7 +4436,6 @@ "version": 100 }, "97db8b42-69d8-4bf3-9fd4-c69a1d895d68": { - "min_stack_version": "8.5", "rule_name": "Suspicious Renaming of ESXI Files", "sha256": "134cc7f77ddd008b061f698e64cd7b3c5fc67db9adca8e3ecc35436d6136bc39", "type": "eql", @@ -5955,169 +4448,108 @@ "version": 100 }, "97fc44d3-8dae-4019-ae83-298c3015600f": { - "min_stack_version": "8.3", "rule_name": "Startup or Run Key Registry Modification", "sha256": "361fc9bece9212d2816e83198a13e6951dc8e63c878162f552778218c8711684", "type": "eql", "version": 111 }, "980b70a0-c820-11ed-8799-f661ea17fbcc": { - "min_stack_version": "8.4", "rule_name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User", "sha256": "bca34a9cc93d913e9dd7b38378787f84bffb714c7a1ff0e76fe33c0b81cce627", "type": "eql", "version": 3 }, "98843d35-645e-4e66-9d6a-5049acd96ce1": { - "min_stack_version": "8.3", "rule_name": "Indirect Command Execution via Forfiles/Pcalua", "sha256": "1a205cf65c5d3958f5a75ef9944f9e7c7f8edc9dce54de95c5cc236303ed1416", "type": "eql", "version": 2 }, "9890ee61-d061-403d-9bf6-64934c51f638": { - "min_stack_version": "8.3", "rule_name": "GCP IAM Service Account Key Deletion", "sha256": "f6e73ab78ecb9bdcafce24cf4de95c3ad91c3b9f84ebde53d8a1184c1145cbff", "type": "query", "version": 104 }, "98995807-5b09-4e37-8a54-5cae5dc932d7": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft 365 Exchange Management Group Role Assignment", - "sha256": "a8d4e67d87194878313ca642bb0cfef0c9fc3750c6cf26a8b74eeac52d8a0c9e", - "type": "query", - "version": 106 - } - }, "rule_name": "Microsoft 365 Exchange Management Group Role Assignment", "sha256": "e5669429abd5547d912048bcc97739ccf3bfa45d4d74e324d1ab2bfd2076322c", "type": "query", "version": 206 }, "98fd7407-0bd5-5817-cda0-3fcc33113a56": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "AWS EC2 Snapshot Activity", - "sha256": "ed1f4e4296f79824714df9f3010887d3ecd69c44ffbf728bed8d47197ea5e08e", - "type": "query", - "version": 108 - } - }, "rule_name": "AWS EC2 Snapshot Activity", "sha256": "0bcbd76d8bc2c0abdaa12111fbc563952e549b58223fb5c1376a1f268453a2c1", "type": "query", "version": 209 }, "990838aa-a953-4f3e-b3cb-6ddf7584de9e": { - "min_stack_version": "8.3", "rule_name": "Process Injection - Prevented - Elastic Endgame", "sha256": "a02da9b5d7a30fe8e11ecdc06e8302ca4077986141d830dffc5a3ea2af2180fa", "type": "query", "version": 103 }, "99239e7d-b0d4-46e3-8609-acafcf99f68c": { - "min_stack_version": "8.3", "rule_name": "MacOS Installer Package Spawns Network Event", "sha256": "a13a4be8fd4f869d6387397192b1e56e6ff008c345ae84e5fafd4a4d28697584", "type": "eql", "version": 107 }, "994e40aa-8c85-43de-825e-15f665375ee8": { - "min_stack_version": "8.9", "rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", "sha256": "482926261657f74d6e44dd1fcdcd25df11184139e079a28e9558d172a94bc94f", "type": "eql", "version": 4 }, "9960432d-9b26-409f-972b-839a959e79e2": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Potential Credential Access via LSASS Memory Dump", - "sha256": "51227a6967396d84ff70c0b13a8a92fe16f45b0f6824b1cafb1b648ea5d5fddd", - "type": "eql", - "version": 106 - } - }, "rule_name": "Potential Credential Access via LSASS Memory Dump", "sha256": "2a6ab34b2777b1c0c5811839d0fb72b2778f887ef1ff8f877e8c2a1d8158a292", "type": "eql", "version": 209 }, "99dcf974-6587-4f65-9252-d866a3fdfd9c": { - "min_stack_version": "8.3", "rule_name": "Spike in Failed Logon Events", "sha256": "1a2c14a7384dc942a3ff18edf7acc8a80867ba7213895616cb80e917fa985a6f", "type": "machine_learning", "version": 104 }, "9a1a2dae-0b5f-4c3d-8305-a268d404c306": { - "min_stack_version": "8.3", "rule_name": "Endpoint Security", "sha256": "3ae0acbbd3b1f49e9a79f6db57b01b04ec80eb8493223e6baa3db0f545a5512d", "type": "query", "version": 103 }, "9a3884d0-282d-45ea-86ce-b9c81100f026": { - "min_stack_version": "8.3", "rule_name": "Unsigned BITS Service Client Process", "sha256": "6c6b0a4cca70f6f55c5b73ca65607b2b546521f99bef8c3eeec5a873a4cebdcf", "type": "eql", "version": 2 }, "9a3a3689-8ed1-4cdb-83fb-9506db54c61f": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 104, - "rule_name": "Potential Shadow File Read via Command Line Utilities", - "sha256": "956ccfb72b0b0545eedcac7869c1de45bcdc05490d5bf7c07da51f94442f4cf8", - "type": "eql", - "version": 6 - }, - "8.4": { - "max_allowable_version": 207, - "rule_name": "Potential Shadow File Read via Command Line Utilities", - "sha256": "25484718086d5b02486408a92befb4c3f5ad9114ca059168686f84ada6efb1c0", - "type": "new_terms", - "version": 108 - } - }, "rule_name": "Potential Shadow File Read via Command Line Utilities", "sha256": "6d3b04cf53c9662f1a011b9b8d0b412aa1fb0f3bfe1771f6a1807b4bf76c1780", "type": "new_terms", "version": 208 }, "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": { - "min_stack_version": "8.3", "rule_name": "Suspicious Explorer Child Process", "sha256": "73643376218cb6a9dc9c17dcbc0e1e2a68c19dba4b20e180663b4a7c2a5953b7", "type": "eql", "version": 109 }, "9aa0e1f6-52ce-42e1-abb3-09657cee2698": { - "min_stack_version": "8.3", "rule_name": "Scheduled Tasks AT Command Enabled", "sha256": "70c14e4efec28255020d7227acf60ade921f89c6f4f6f20df7eefe9f083993ce", "type": "eql", "version": 109 }, "9b343b62-d173-4cfd-bd8b-e6379f964ca4": { - "min_stack_version": "8.3", "rule_name": "GitHub Owner Role Granted To User", "sha256": "a4b8ee93d7e52d2b59d4df47a27d69a9e5fba2c405d327006dddd367e0aedf2c", "type": "eql", "version": 3 }, "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { - "min_stack_version": "8.3", "rule_name": "Persistence via WMI Event Subscription", "sha256": "36be7f5bc34d95f4e0db0866f200db91e20c57104c47535e70c0579f42c47d7c", "type": "eql", @@ -6131,44 +4563,30 @@ "version": 2 }, "9c260313-c811-4ec8-ab89-8f6530e0246c": { - "min_stack_version": "8.3", "rule_name": "Hosts File Modified", "sha256": "9857acc6de8b05c65a249bb32fb2aa5bb50283f5ac6aa34dfc4285a8a1abb5e2", "type": "eql", "version": 108 }, "9c865691-5599-447a-bac9-b3f2df5f9a9d": { - "min_stack_version": "8.3", "rule_name": "Remote Scheduled Task Creation via RPC", "sha256": "0f64c28a181949a1efa09b4f30225af7c831dc379510fde5484cb91ebbe9059e", "type": "eql", "version": 8 }, "9c951837-7d13-4b0c-be7a-f346623c8795": { - "min_stack_version": "8.3", "rule_name": "Potential Enumeration via Active Directory Web Service", "sha256": "8e3c38ce419b110b9a63f544e1faf01b054304e08d40cb4e20a08b87e0ef44c1", "type": "eql", "version": 2 }, "9ccf3ce0-0057-440a-91f5-870c6ad39093": { - "min_stack_version": "8.3", "rule_name": "Command Shell Activity Started via RunDLL32", "sha256": "c9b88b1d61f94153253dffb64b83381cc6f37396d6969056f29e0e983d7f0057", "type": "eql", "version": 110 }, "9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 103, - "rule_name": "Google Workspace User Group Access Modified to Allow External Access", - "sha256": "4ca64be8b81634872abafdfb31ec9ad8ac4825ceb19369bc47a5f59f0cd15968", - "type": "query", - "version": 5 - } - }, "rule_name": "Google Workspace User Group Access Modified to Allow External Access", "sha256": "3de5e59006729a058c18b93a17cacead586bbf1a2893756ce0951d59aa5bfdfd", "type": "query", @@ -6181,248 +4599,168 @@ "version": 100 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "Microsoft Build Engine Started by a Script Process", - "sha256": "a7dda34610cf31fe8bd552ca7b1be438b979f718bba2f25c1bfbe2dcf6e399c2", - "type": "eql", - "version": 105 - } - }, "rule_name": "Microsoft Build Engine Started by a Script Process", "sha256": "927ea94b2491233b45213f4d45a252a511d8929778022d54b8ce9c55b572508c", "type": "new_terms", "version": 209 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { - "min_stack_version": "8.3", "rule_name": "Microsoft Build Engine Started by a System Process", "sha256": "c485e1358f4158ae03a14255b6d46e7c55467c0fadf17bb618b1ea57366ef1e1", "type": "eql", "version": 110 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { - "min_stack_version": "8.3", "rule_name": "Microsoft Build Engine Using an Alternate Name", "sha256": "9821305b0eebf7cd0540a8a4af112f0cb88abf4dc3bbbe323ade7a203ccf4b08", "type": "eql", "version": 112 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { - "min_stack_version": "8.3", "rule_name": "Potential Credential Access via Trusted Developer Utility", "sha256": "b1e378c91ed40734538a8f0ef48435f4f5e8446ac71e923e12737fe89f84b8c5", "type": "eql", "version": 110 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft Build Engine Started an Unusual Process", - "sha256": "a31248c2a77ee248c66bc397338932837d26cb27e8d0fe2ecc59cb2fd6705d5d", - "type": "eql", - "version": 106 - } - }, "rule_name": "Microsoft Build Engine Started an Unusual Process", "sha256": "88f6d6c995a534b5becc1676681e9c43a25e4a30332448f195ec5ae641b8b870", "type": "new_terms", "version": 211 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { - "min_stack_version": "8.3", "rule_name": "Process Injection by the Microsoft Build Engine", "sha256": "91a18c0e34d966e4822caade08e77bf1677f953f76672f72c51ed95c86968438", "type": "query", "version": 106 }, "9d19ece6-c20e-481a-90c5-ccca596537de": { - "min_stack_version": "8.3", "rule_name": "LaunchDaemon Creation or Modification and Immediate Loading", "sha256": "7320bfb081717b130f02dbd9cf9b41a6d9df14eeb6eadaa18a986b64c7a798f8", "type": "eql", "version": 106 }, "9d302377-d226-4e12-b54c-1906b5aec4f6": { - "min_stack_version": "8.3", "rule_name": "Unusual Linux Process Calling the Metadata Service", "sha256": "a8ec37b93c67426decc04bb1828dece6c21599efba58c2bcbdba4de0db24d7e5", "type": "machine_learning", "version": 103 }, "9f1c4ca3-44b5-481d-ba42-32dc215a2769": { - "min_stack_version": "8.3", "rule_name": "Potential Protocol Tunneling via EarthWorm", "sha256": "0acdc01e1894806e1b2e1a96df91a299f0324172f6e08fa06b75cb6244675079", "type": "eql", "version": 110 }, "9f962927-1a4f-45f3-a57b-287f2c7029c1": { - "min_stack_version": "8.3", "rule_name": "Potential Credential Access via DCSync", "sha256": "d4d6d4838b5cf551986e8f7b4335f15eb0910a85ed8f40f695e52e1141147407", "type": "eql", "version": 113 }, "9f9a2a82-93a8-4b1a-8778-1780895626d4": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "File Permission Modification in Writable Directory", - "sha256": "6c93604ac3f7c4e56ba67f913a4b594887a31706b87f87c25ce6fe48e9608fc3", - "type": "eql", - "version": 106 - } - }, "rule_name": "File Permission Modification in Writable Directory", "sha256": "bb48a554acead2212b1c7f843dc9352b7f546a24999c026f249e82bfb88acd46", "type": "new_terms", "version": 210 }, "a00681e3-9ed6-447c-ab2c-be648821c622": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS Access Secret in Secrets Manager", - "sha256": "8a809b35c09aae82a1f066892fa5746325703203ff96d57019f0c0566dc602fe", - "type": "query", - "version": 106 - }, - "8.6": { - "max_allowable_version": 307, - "rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", - "sha256": "a470900ff108beb4fc2bd4b7b585eab94d9c4069ec2fdc41e3d7b241c6fd4263", - "type": "new_terms", - "version": 208 - } - }, "rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", "sha256": "378a46774155bf6146f1d357c4e693e994e2122c127ec368b79c9186c4eea17e", "type": "new_terms", "version": 310 }, "a02cb68e-7c93-48d1-93b2-2c39023308eb": { - "min_stack_version": "8.3", "rule_name": "A scheduled task was updated", "sha256": "f72866c48ccae69c487c9485afbf8ca05fc67403d5bda38d738920206c830645", "type": "eql", "version": 8 }, "a0ddb77b-0318-41f0-91e4-8c1b5528834f": { - "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via Python cap_setuid", "sha256": "9771d73d6839772917b03b85707c361b758e7dd2ca3ae4daa997d9f3494564a3", "type": "eql", "version": 3 }, "a10d3d9d-0f65-48f1-8b25-af175e2594f5": { - "min_stack_version": "8.3", "rule_name": "GCP Pub/Sub Topic Creation", "sha256": "d1f3342fcfc31b466666d2653d511406c8d7118d669a1c5a031be8300152cc93", "type": "query", "version": 105 }, "a13167f1-eec2-4015-9631-1fee60406dcf": { - "min_stack_version": "8.3", "rule_name": "InstallUtil Process Making Network Connections", "sha256": "f8829b614b96a55bdf35e84d28329b3efdbd1d18224ab1987b6e6dc5aabea65f", "type": "eql", "version": 107 }, "a1329140-8de3-4445-9f87-908fb6d824f4": { - "min_stack_version": "8.3", "rule_name": "File Deletion via Shred", "sha256": "7cceb36ddd019047252c9fdd913eef7af8d679620d610af2da4243906b976b48", "type": "eql", "version": 109 }, "a16612dd-b30e-4d41-86a0-ebe70974ec00": { - "min_stack_version": "8.3", "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", "sha256": "90670896181f2ae7afdbd86f7ba48b393d39687df3d9ff84a3061265a8c90486", "type": "eql", "version": 106 }, "a1699af0-8e1e-4ed0-8ec1-89783538a061": { - "min_stack_version": "8.3", "rule_name": "Windows Subsystem for Linux Distribution Installed", "sha256": "45960ca284b367be8f1699088f866e56e2c72c2a5205c1c1ac4a309354ab6119", "type": "eql", "version": 7 }, "a17bcc91-297b-459b-b5ce-bc7460d8f82a": { - "min_stack_version": "8.3", "rule_name": "GCP Virtual Private Cloud Route Deletion", "sha256": "5830a379ffe8c72546a1ff07b39d70c6d196815e08f8e584828c81640426aa99", "type": "query", "version": 104 }, "a198fbbd-9413-45ec-a269-47ae4ccf59ce": { - "min_stack_version": "8.7", "rule_name": "My First Rule", "sha256": "0357b6b5d11fb9734295241301e64ac5a4ad73f8fe8919c4fc846366ddc3aa29", "type": "threshold", "version": 3 }, "a1a0375f-22c2-48c0-81a4-7c2d11cc6856": { - "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell Activity via Terminal", "sha256": "abc7a656bb0d4f63a1a6e01241d5070bd79d95767ddf50a96416c4cb1e21c0ea", "type": "eql", "version": 108 }, "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": { - "min_stack_version": "8.3", "rule_name": "Linux Group Creation", "sha256": "7fc88cc105fb44e6b06fe74f60102105a5d43b6174d0e52f9dafb31eda5b1bb7", "type": "eql", "version": 5 }, "a22a09c2-2162-4df0-a356-9aacbeb56a04": { - "min_stack_version": "8.3", "rule_name": "DNS-over-HTTPS Enabled via Registry", "sha256": "6c0ebc416f6fb4c7549a97d6a862ad6d780640637db60c907841fa20c7c70d8a", "type": "eql", "version": 109 }, "a2795334-2499-11ed-9e1a-f661ea17fbce": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 103, - "rule_name": "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App", - "sha256": "337d1765f1495c27d1a5daf28740c34409d3a57bbf7be559211000d47dd66469", - "type": "query", - "version": 5 - } - }, "rule_name": "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App", "sha256": "89b0c47b77b31a2b7c84dfe6195e371e6678e7153a116dd44c14e22eae50b16c", "type": "query", "version": 106 }, "a2d04374-187c-4fd9-b513-3ad4e7fdd67a": { - "min_stack_version": "8.3", "rule_name": "PowerShell Mailbox Collection Script", "sha256": "9da52a8d28edcb2f709109145e35bbb279d16227c6d4836c727a6764e3fffd58", "type": "query", "version": 7 }, "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { - "min_stack_version": "8.3", "rule_name": "Execution via local SxS Shared Module", "sha256": "68739f82fe835d6e8e546e396bd6b7166cab6ffb7af01ccc3d402c7b23ab1525", "type": "eql", "version": 108 }, "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": { - "min_stack_version": "8.3", "rule_name": "Windows Registry File Creation in SMB Share", "sha256": "e99c94faaac0789d4c0eb4168bdc6ce7813ec01a2cecbf150147733d63850942", "type": "eql", @@ -6435,7 +4773,6 @@ "version": 100 }, "a52a9439-d52c-401c-be37-2785235c6547": { - "min_stack_version": "8.8", "rule_name": "Netcat Listener Established Inside A Container", "sha256": "8f9886fc92a4c69f14005790f8fdaab0b79bfd94930a6aaadc156c7b8a78e146", "type": "eql", @@ -6449,100 +4786,78 @@ "version": 2 }, "a5eb21b7-13cc-4b94-9fe2-29bb2914e037": { - "min_stack_version": "8.6", "rule_name": "Potential Reverse Shell via UDP", "sha256": "1576ee101633693a68c7a223bc0bf033bf243cde11d3831ca0ba638c6761c681", "type": "eql", "version": 6 }, "a5f0d057-d540-44f5-924d-c6a2ae92f045": { - "min_stack_version": "8.3", "rule_name": "Potential SSH Brute Force Detected on Privileged Account", "sha256": "38d14b033e79ccc9d9cf97555e15e5132aaa6d8ca72e05d65885ee7bcc2feb22", "type": "eql", "version": 5 }, "a60326d7-dca7-4fb7-93eb-1ca03a1febbd": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "AWS IAM Assume Role Policy Update", - "sha256": "76387a6bb7b623af513d1e3379567e01c3efd70a0fbf651fb1361a6a3fb63075", - "type": "query", - "version": 108 - } - }, "rule_name": "AWS IAM Assume Role Policy Update", "sha256": "232deeb70c03fe09805ae4aedeb77133435af63645bd9833c8d0b945b1f950df", "type": "query", "version": 209 }, "a605c51a-73ad-406d-bf3a-f24cc41d5c97": { - "min_stack_version": "8.3", "rule_name": "Azure Active Directory PowerShell Sign-in", "sha256": "d50d23ae4c7359047320934418d1041ff10666e02a6ed8bc287366745ae74372", "type": "query", "version": 105 }, "a61809f3-fb5b-465c-8bff-23a8a068ac60": { - "min_stack_version": "8.5", "rule_name": "Threat Intel Windows Registry Indicator Match", "sha256": "498e400e2ab211c23df18b38f3485b255be2cf09808ae8221fc1f70ecfd680b6", "type": "threat_match", "version": 6 }, "a624863f-a70d-417f-a7d2-7a404638d47f": { - "min_stack_version": "8.3", "rule_name": "Suspicious MS Office Child Process", "sha256": "255c381e83fba4080d9c7a3ab7f1997d7a8cb5d664c64a8cd19f0be970ca8ae4", "type": "eql", "version": 112 }, "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": { - "min_stack_version": "8.3", "rule_name": "Emond Rules Creation or Modification", "sha256": "279439946377684a1551b3d271e82b7225b1323b970f0e63c7a12fc2ba805287", "type": "eql", "version": 107 }, "a74c60cb-70ee-4629-a127-608ead14ebf1": { - "min_stack_version": "8.9", "rule_name": "High Mean of RDP Session Duration", "sha256": "22baca917bf8d8852f30384b7d4813aa7a370126e0338be3886963d94f2e6b8a", "type": "machine_learning", "version": 3 }, "a7ccae7b-9d2c-44b2-a061-98e5946971fa": { - "min_stack_version": "8.3", "rule_name": "Suspicious Print Spooler SPL File Created", "sha256": "ee29d9d05c756fbec35c09510be9ed92564671e5159b5e4afe4d9c4ff65d31ef", "type": "eql", "version": 111 }, "a7e7bfa3-088e-4f13-b29e-3986e0e756b8": { - "min_stack_version": "8.3", "rule_name": "Credential Acquisition via Registry Hive Dumping", "sha256": "09276f9e697db4a2e29daddbecd34ad8fae5dcd59a2a81e1f5ef2bcfe9c3ba02", "type": "eql", "version": 110 }, "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": { - "min_stack_version": "8.3", "rule_name": "Web Application Suspicious Activity: POST Request Declined", "sha256": "ebfc9e780da093a1ff6bd51cae7eafadee5cf30f6044a85add7779f17d924a88", "type": "query", "version": 102 }, "a8afdce2-0ec1-11ee-b843-f661ea17fbcd": { - "min_stack_version": "8.3", "rule_name": "Suspicious File Downloaded from Google Drive", "sha256": "3d43bb8629f6abf3044732ac8445f0e4aff8492b8f21845bf1d349e73ab15295", "type": "eql", "version": 3 }, "a8d35ca0-ad8d-48a9-9f6c-553622dca61a": { - "min_stack_version": "8.9", "rule_name": "High Variance in RDP Session Duration", "sha256": "0c85e6c7047aef4143e8ed835f2d0fcafad301de7eb334082e04ff5a498e5539", "type": "machine_learning", @@ -6555,183 +4870,126 @@ "version": 100 }, "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled", - "sha256": "6414cc66c7c80d4240492b269f8c591d61734d2cec368c51642c367fcb0a0fda", - "type": "query", - "version": 106 - } - }, "rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled", "sha256": "3d299427823ca14b62de2ac6ceb1e378df0601897aea618d82aaf2ac27a5b9e2", "type": "query", "version": 206 }, "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 202, - "rule_name": "Google Workspace Password Policy Modified", - "sha256": "6b7426c4610c0d99417b08152597279e42d5e7fb9b2a510913b106dddafe7abb", - "type": "query", - "version": 104 - } - }, "rule_name": "Google Workspace Password Policy Modified", "sha256": "de0ced40cd29bb489ca1a27d785bb3d66ba4d0711f5d8d42268c9f8cab7c7df9", "type": "query", "version": 205 }, "a9b05c3b-b304-4bf9-970d-acdfaef2944c": { - "min_stack_version": "8.3", "rule_name": "Persistence via Hidden Run Key Detected", "sha256": "269e37223d35d504bd02023f1fc605e200979bbabb0ee082953950adaf35c4fd", "type": "eql", "version": 108 }, "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": { - "min_stack_version": "8.3", "rule_name": "IPSEC NAT Traversal Port Activity", "sha256": "8dcd8a517f60e962d4ebf18984358abb4a22823f7b32a4e918d1aa3645fa0fee", "type": "query", "version": 104 }, "aa8007f0-d1df-49ef-8520-407857594827": { - "min_stack_version": "8.3", "rule_name": "GCP IAM Custom Role Creation", "sha256": "46fafcee6069a185beb2d0fc77d3f39e53b9ec3412f9afdef0e7b642b48e296f", "type": "query", "version": 104 }, "aa895aea-b69c-4411-b110-8d7599634b30": { - "min_stack_version": "8.3", "rule_name": "System Log File Deletion", "sha256": "88dcf75e81a5a91c9684e0298310a93c5b5106d24091836c69728729c85e6246", "type": "eql", "version": 110 }, "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { - "min_stack_version": "8.3", "rule_name": "Remotely Started Services via RPC", "sha256": "e72234fda58c725e6bbfb3c02d000a1276fc1ff4868a63532863b43b2780d3f8", "type": "eql", "version": 112 }, "aaab30ec-b004-4191-95e1-4a14387ef6a6": { - "min_stack_version": "8.3", "rule_name": "Veeam Backup Library Loaded by Unusual Process", "sha256": "fae7ffc9ed0b702935ff7bccd87d6ddec3d54d21ce22d4aedb1cbb41d4e584c3", "type": "eql", "version": 2 }, "aab184d3-72b3-4639-b242-6597c99d8bca": { - "min_stack_version": "8.5", "rule_name": "Threat Intel Hash Indicator Match", "sha256": "fabef06c8a2e4298330aaf2e04e9c55737a516954c890d808e5d4a901aace9fe", "type": "threat_match", "version": 7 }, "ab75c24b-2502-43a0-bf7c-e60e662c811e": { - "min_stack_version": "8.3", "rule_name": "Remote Execution via File Shares", "sha256": "8f4c528243e4b7fe54e84e7f66324d47f06fa299e52a0069c9f5d1cdea337050", "type": "eql", "version": 111 }, "abae61a8-c560-4dbd-acca-1e1438bff36b": { - "min_stack_version": "8.3", "rule_name": "Unusual Windows Process Calling the Metadata Service", "sha256": "ac1ddf7a6cff4d90ca970314e03ccc69c8b2c416130ed735e10bbaf12458ff51", "type": "machine_learning", "version": 103 }, "ac412404-57a5-476f-858f-4e8fbb4f48d8": { - "min_stack_version": "8.3", "rule_name": "Potential Persistence via Login Hook", "sha256": "c757a8d19345f645690ffb8634527ad84b35d0195fe82d9ca81ccf57eaf2eef9", "type": "query", "version": 108 }, "ac5012b8-8da8-440b-aaaf-aedafdea2dff": { - "min_stack_version": "8.3", "rule_name": "Suspicious WerFault Child Process", "sha256": "f629cc7dcdd6c44a3cfdd1ee14a69394676bb2d7612c1cf102e2378dc225e2bf", "type": "eql", "version": 112 }, "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "Unusual AWS Command for a User", - "sha256": "9f57306030e5ba60d653be67aa9384950045aa7df06b096ce123ae72771cd11a", - "type": "machine_learning", - "version": 108 - } - }, "rule_name": "Unusual AWS Command for a User", "sha256": "17d74013b573ef431a61391d055df4a9ab5851741a17e466a651c3a1f13efb49", "type": "machine_learning", "version": 208 }, "ac8805f6-1e08-406c-962e-3937057fa86f": { - "min_stack_version": "8.3", "rule_name": "Potential Protocol Tunneling via Chisel Server", "sha256": "be005130100c74d62f0ae093ffaceedaf8ea816f88d721e2dd68dbaca2bd46c9", "type": "eql", "version": 6 }, "ac96ceb8-4399-4191-af1d-4feeac1f1f46": { - "min_stack_version": "8.3", "rule_name": "Potential Invoke-Mimikatz PowerShell Script", "sha256": "e7b750985f6d8f290b5b3c9331448fc6c0e52c65dfa753ddf117fd70bd624e21", "type": "query", "version": 108 }, "acbc8bb9-2486-49a8-8779-45fb5f9a93ee": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 202, - "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", - "sha256": "9977bfb82687f6ee557f2f9474b1cac3eb4b8c16af795908ef9b4a20ab600653", - "type": "query", - "version": 104 - } - }, "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", "sha256": "dff7c67640bd01423d897e090d914f6661f2ccbd00d363315a58d011cac71b65", "type": "query", "version": 205 }, "acd611f3-2b93-47b3-a0a3-7723bcc46f6d": { - "min_stack_version": "8.3", "rule_name": "Potential Command and Control via Internet Explorer", "sha256": "4e05c9f350a2bf4380ddc180a068d6803b859a53e35e93b341397855f28c5924", "type": "eql", "version": 106 }, "ace1e989-a541-44df-93a8-a8b0591b63c0": { - "min_stack_version": "8.3", "rule_name": "Potential macOS SSH Brute Force Detected", "sha256": "95cd29a163e6b0b1ffbed68a23beef7033446cdbce973aa1bac75d9a31a944d9", "type": "threshold", "version": 108 }, "acf738b5-b5b2-4acc-bad9-1e18ee234f40": { - "min_stack_version": "8.3", "rule_name": "Suspicious Managed Code Hosting Process", "sha256": "fe186a9faacc6e9e3e6491c59ba7d7f453f702cf162e0e4ae49354149e80326a", "type": "eql", "version": 108 }, "ad0d2742-9a49-11ec-8d6b-acde48001122": { - "min_stack_version": "8.3", "rule_name": "Signed Proxy Execution via MS Work Folders", "sha256": "692d68785822926e449adf234c3a45035f0a8e73dd87386acac77931c9491543", "type": "eql", @@ -6744,121 +5002,96 @@ "version": 100 }, "ad3f2807-2b3e-47d7-b282-f84acbbe14be": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 202, - "rule_name": "Google Workspace Custom Admin Role Created", - "sha256": "e28b9f491eae0c8a606f9d315389ac4a117e5d30674f8e4f4e1d3be16bc8d9c4", - "type": "query", - "version": 104 - } - }, "rule_name": "Google Workspace Custom Admin Role Created", "sha256": "d1699c4738c1bd1387584e6a38c367c2f869b0045f7b6e2c635535f2dded6307", "type": "query", "version": 205 }, "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { - "min_stack_version": "8.3", "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", "sha256": "d2271c15f1bcae13cb2632e4449638ff23a1e373ff5e0cd32c8722354646975d", "type": "query", "version": 110 }, "ad88231f-e2ab-491c-8fc6-64746da26cfe": { - "min_stack_version": "8.3", "rule_name": "Kerberos Cached Credentials Dumping", "sha256": "b487d846e3b3cce77ab546dffaa06a50544f53ec03293a3bf6ef529123497ae6", "type": "query", "version": 106 }, "ad959eeb-2b7b-4722-ba08-a45f6622f005": { - "min_stack_version": "8.3", "rule_name": "Suspicious APT Package Manager Execution", "sha256": "9cbc1daea47fb821c72c3e512bbb09b857e9a4b44454631dfe45b495c8adc9fa", "type": "eql", "version": 2 }, "adb961e0-cb74-42a0-af9e-29fc41f88f5f": { - "min_stack_version": "8.3", "rule_name": "File Transfer or Listener Established via Netcat", "sha256": "f27e0f720407692607f6eb75d893c29b6331360fec5838edbff6739eea960584", "type": "eql", "version": 110 }, "adbfa3ee-777e-4747-b6b0-7bd645f30880": { - "min_stack_version": "8.3", "rule_name": "Suspicious Communication App Child Process", "sha256": "da78216a16bc023bec70850e08c999466fb372bf4f11fd44445aaed67089a16c", "type": "eql", "version": 4 }, "ae343298-97bc-47bc-9ea2-5f2ad831c16e": { - "min_stack_version": "8.3", "rule_name": "Suspicious File Creation via Kworker", "sha256": "80da89056385e4d385d191289e923d9442a852f1c96b7aeb235b36a9e4a0ca35", "type": "eql", "version": 3 }, "ae8a142c-6a1d-4918-bea7-0b617e99ecfa": { - "min_stack_version": "8.3", "rule_name": "Suspicious Execution via Microsoft Office Add-Ins", "sha256": "6fce50e87a921fa949cd422fb8a0d0e0232051f30329df181dbebb37b5e5a184", "type": "eql", "version": 5 }, "aebaa51f-2a91-4f6a-850b-b601db2293f4": { - "min_stack_version": "8.6", "rule_name": "Shared Object Created or Changed by Previously Unknown Process", "sha256": "d43a905984d229cdcd4e06eb6b7f44f165c335ebfb4840dde015f22b680c1f92", "type": "new_terms", "version": 7 }, "afa135c0-a365-43ab-aa35-fd86df314a47": { - "min_stack_version": "8.3", "rule_name": "Unusual User Privilege Enumeration via id", "sha256": "bd4da735535155bf2aaee82b58ad81ff85b1d638c319cf8afe1df6d4bd616123", "type": "eql", "version": 4 }, "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { - "min_stack_version": "8.3", "rule_name": "Local Scheduled Task Creation", "sha256": "5291c4a420b199ea0cda7c00ad93a5114d95d9fcd73a07e12060d164eb0601e6", "type": "eql", "version": 107 }, "afd04601-12fc-4149-9b78-9c3f8fe45d39": { - "min_stack_version": "8.3", "rule_name": "Network Activity Detected via cat", "sha256": "61ed9cf042140481d4d3863f69481333d94ea25e480a8ddd95a5e38cd2fcacb6", "type": "eql", "version": 6 }, "afe6b0eb-dd9d-4922-b08a-1910124d524d": { - "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via Container Misconfiguration", "sha256": "934babb371893cc423e2cc180a7b9c4e145c3477e29880463dee746c5b419b19", "type": "eql", "version": 5 }, "b0046934-486e-462f-9487-0d4cf9e429c6": { - "min_stack_version": "8.3", "rule_name": "Timestomping using Touch Command", "sha256": "b076ae4e19a317fab6eb05472220dd936a4a3ea6852be8a783f28615c9f21de4", "type": "eql", "version": 106 }, "b00bcd89-000c-4425-b94c-716ef67762f6": { - "min_stack_version": "8.3", "rule_name": "TCC Bypass via Mounted APFS Snapshot Access", "sha256": "5a871527957ab53227a0f5f906053deded0b332d6195c3e6cfbe9622601b646f", "type": "query", "version": 106 }, "b0638186-4f12-48ac-83d2-47e686d08e82": { - "min_stack_version": "8.3", "rule_name": "Netsh Helper DLL", "sha256": "5019bcc4c8001cf98d0d6df1626edce949e6bd8d7c18fbbc38b2a53cf847a5a9", "type": "eql", @@ -6878,95 +5111,66 @@ "version": 100 }, "b2318c71-5959-469a-a3ce-3a0768e63b9c": { - "min_stack_version": "8.3", "rule_name": "Potential Network Share Discovery", "sha256": "fda7288ed57e11d03d2af7b74755b704d96c32f3c69abe245de1378438bd144f", "type": "eql", "version": 3 }, "b240bfb8-26b7-4e5e-924e-218144a3fa71": { - "min_stack_version": "8.3", "rule_name": "Spike in Network Traffic", "sha256": "36d61f7dbb342836f5db53ce1a06141cecfee9ba6d09cbb69983df79202257e6", "type": "machine_learning", "version": 103 }, "b25a7df2-120a-4db2-bd3f-3e4b86b24bee": { - "min_stack_version": "8.3", "rule_name": "Remote File Copy via TeamViewer", "sha256": "f9c74dae522f96b99ef91c8690d3294d5bb57ed3568290e9c6c2b4877c99bbd4", "type": "eql", "version": 111 }, "b2951150-658f-4a60-832f-a00d1e6c6745": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft 365 Unusual Volume of File Deletion", - "sha256": "0e2607bb68d167a217bd28be737c707eb6729cb8c449efd2f3c45064ba35fb07", - "type": "query", - "version": 106 - } - }, "rule_name": "Microsoft 365 Unusual Volume of File Deletion", "sha256": "1dbef7993a821421fc2fa12a51dab4936081be0382afeb3ebd8f36b93c07bdcf", "type": "query", "version": 206 }, "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { - "min_stack_version": "8.3", "rule_name": "Network Connection via Compiled HTML File", "sha256": "0c4011e34ae723b0d5fbd00bd1e354badeb76adb69e7c4a44dd7e7cb1acc480b", "type": "eql", "version": 108 }, "b347b919-665f-4aac-b9e8-68369bf2340c": { - "min_stack_version": "8.3", "rule_name": "Unusual Linux Username", "sha256": "fe769843cd4082749444ae077951c9a8e2bfe4d74ba57fd091eacee470975016", "type": "machine_learning", "version": 103 }, "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { - "min_stack_version": "8.3", "rule_name": "Suspicious Endpoint Security Parent Process", "sha256": "01e8d9f7974e3c66e2916edad7f04fe3fbd842ed064a7ac1067df9d6d61ecadf", "type": "eql", "version": 111 }, "b43570de-a908-4f7f-8bdb-b2df6ffd8c80": { - "min_stack_version": "8.3", "rule_name": "Code Signing Policy Modification Through Built-in tools", "sha256": "204caab60a2c4641de7b31aaedca2147bb76d02c5e8bae82907f04607536563e", "type": "eql", "version": 7 }, "b4449455-f986-4b5a-82ed-e36b129331f7": { - "min_stack_version": "8.3", "rule_name": "Potential Persistence via Atom Init Script Modification", "sha256": "c504a9e2929d88a06087ed97f63cef00dc04803abda6cfbe448c6c7c5a3d9900", "type": "query", "version": 106 }, "b45ab1d2-712f-4f01-a751-df3826969807": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS STS GetSessionToken Abuse", - "sha256": "270622c32893a7ed8bb7c39017bb09133147e3b8af1c8844d93f0150447134ba", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS STS GetSessionToken Abuse", "sha256": "8d815943419b48862fd4b4d8bf7e7415b72bff58fb7dc7299a2548453ffd2670", "type": "query", "version": 206 }, "b483365c-98a8-40c0-92d8-0458ca25058a": { - "min_stack_version": "8.3", "rule_name": "At.exe Command Lateral Movement", "sha256": "041e17a0cd55085d79466cf06aaa8ca81ef2b30a9e42291395534ce27ba0062a", "type": "eql", @@ -6975,7 +5179,7 @@ "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 205, "rule_name": "Attempt to Delete an Okta Policy", "sha256": "c3fda77e2d67870f675065527fb363156e723e6bc1090d9bdda28d930d7f3d04", @@ -6989,49 +5193,42 @@ "version": 206 }, "b51dbc92-84e2-4af1-ba47-65183fcd0c57": { - "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via OverlayFS", "sha256": "58bcb45f4849adaa8d78a19d8a371830c27498740c55f3af585b223cd3043f93", "type": "eql", "version": 5 }, "b5877334-677f-4fb9-86d5-a9721274223b": { - "min_stack_version": "8.3", "rule_name": "Clearing Windows Console History", "sha256": "0d87128fdfdcb58febe6605148de68b8ab413e129191227eca12360248a76681", "type": "eql", "version": 111 }, "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { - "min_stack_version": "8.3", "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", "sha256": "7a7554033f500cdd7964ffd328c581dfbdd9b26c040569d42581504a70e468d3", "type": "eql", "version": 111 }, "b627cd12-dac4-11ec-9582-f661ea17fbcd": { - "min_stack_version": "8.3", "rule_name": "Elastic Agent Service Terminated", "sha256": "8abfc44bc5f8a00effd8c97c81a841dcc2cbe6cd3e2da51a5b277f96c2baf671", "type": "eql", "version": 106 }, "b64b183e-1a76-422d-9179-7b389513e74d": { - "min_stack_version": "8.3", "rule_name": "Windows Script Interpreter Executing Process via WMI", "sha256": "1e8be0b94b78d86bb0d30e6a4e6d28c81c9c5bdf2b9494ac9c0d7fb465491bae", "type": "eql", "version": 109 }, "b661f86d-1c23-4ce7-a59e-2edbdba28247": { - "min_stack_version": "8.3", "rule_name": "Potential Veeam Credential Access Command", "sha256": "e589053c5a7013b3bb2c3d76d1617fcdda617b6aa8dbfa31adf5e34b95f095d2", "type": "eql", "version": 1 }, "b6dce542-2b75-4ffb-b7d6-38787298ba9d": { - "min_stack_version": "8.3", "rule_name": "Azure Event Hub Authorization Rule Created or Updated", "sha256": "a4d9380d9e964e50c7845854fa02ca808976bf2d52c4cb73dd90ed4e9439ae09", "type": "query", @@ -7040,7 +5237,7 @@ "b719a170-3bdb-4141-b0e3-13e3cf627bfe": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 205, "rule_name": "Attempt to Deactivate an Okta Policy", "sha256": "48e769c5aedb715bdbc0f990b68ced02323c1eef17b02595550b368f66a3c9c8", @@ -7054,7 +5251,6 @@ "version": 206 }, "b7c05aaf-78c2-4558-b069-87fa25973489": { - "min_stack_version": "8.3", "rule_name": "Potential Buffer Overflow Attack Detected", "sha256": "3e26fdf6574102a4aa2b239c1e4420684c6f3527b1aca67cf62cc4b42858a6f4", "type": "threshold", @@ -7063,7 +5259,7 @@ "b8075894-0b62-46e5-977c-31275da34419": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 204, "rule_name": "Administrator Privileges Assigned to an Okta Group", "sha256": "8d9fe19feb7f250c14755465615f7a3fb4f831e20ba19b6ba0eeec6637d056e3", @@ -7077,190 +5273,132 @@ "version": 205 }, "b81bd314-db5b-4d97-82e8-88e3e5fc9de5": { - "min_stack_version": "8.3", "rule_name": "Linux System Information Discovery", "sha256": "25a7750edeab372fb60402e82e49e3e259e8b0b077e85b3ecc8af17ef77deb61", "type": "eql", "version": 3 }, "b8386923-b02c-4b94-986a-d223d9b01f88": { - "min_stack_version": "8.3", "rule_name": "PowerShell Invoke-NinjaCopy script", "sha256": "40c977b1f7dad3726a8f0c97749e00256994f75580fd498135538a04857e663d", "type": "query", "version": 5 }, "b83a7e96-2eb3-4edf-8346-427b6858d3bd": { - "min_stack_version": "8.3", "rule_name": "Creation or Modification of Domain Backup DPAPI private key", "sha256": "e7c8ba3a35c054655d550038f664cb613343ad804cc463f1d4b90aa0a0d23d93", "type": "eql", "version": 108 }, "b86afe07-0d98-4738-b15d-8d7465f95ff5": { - "min_stack_version": "8.3", "rule_name": "Network Connection via MsXsl", "sha256": "97661aa1f38ec86767f0b0059ad5aab142c0f1dfcfe79c093165e0dcd8ef1266", "type": "eql", "version": 106 }, "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": { - "min_stack_version": "8.3", "rule_name": "Kirbi File Creation", "sha256": "d4daec4cc60bd33718968bd73ffc21fabf7d837ae866f7a7fcabf5d7d039655f", "type": "eql", "version": 5 }, "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": { - "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", "sha256": "06cd8a9c2cc711c339f9e9c86a0b0e31950b1620f3c927162433104d644a4a8d", "type": "eql", "version": 109 }, "b910f25a-2d44-47f2-a873-aabdc0d355e6": { - "min_stack_version": "8.3", "rule_name": "Chkconfig Service Add", "sha256": "762949859141699af6a491db1a4f5b059db590cbadd27aa2267653760c23d23d", "type": "eql", "version": 111 }, "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": { - "min_stack_version": "8.3", "rule_name": "Discovery of Domain Groups", "sha256": "6858329aa178170f3a6900b8d4233573f6741d68814c2b5ac702c5d76e3ee677", "type": "eql", "version": 2 }, "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": { - "min_stack_version": "8.3", "rule_name": "Multiple Alerts in Different ATT&CK Tactics on a Single Host", "sha256": "b83cfd125f81b6526b23aac2a53cc883827934288f3bb4ae9a000c705c69cd7c", "type": "threshold", "version": 4 }, "b9554892-5e0e-424b-83a0-5aef95aa43bf": { - "min_stack_version": "8.3", "rule_name": "Group Policy Abuse for Privilege Addition", "sha256": "7e1d07811eee139eca2af001c453e529a605e642fafc1cadfeac9817862c3f0c", "type": "query", "version": 109 }, "b9666521-4742-49ce-9ddc-b8e84c35acae": { - "min_stack_version": "8.3", "rule_name": "Creation of Hidden Files and Directories via CommandLine", "sha256": "bbdba9f735a270571a5a0f1df636cdd573417d76ebf91c3ee006046ae88f685d", "type": "eql", "version": 110 }, "b9960fef-82c6-4816-befa-44745030e917": { - "min_stack_version": "8.3", "rule_name": "SolarWinds Process Disabling Services via Registry", "sha256": "6cf76bf28c6818bd0c1e9cacc68a44909ca3c50f197b96e96bd34ffd2f935ec8", "type": "eql", "version": 109 }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { - "min_stack_version": "8.3", "rule_name": "Unusual Windows Network Activity", "sha256": "061e957d07cb102889f0ff1a1f4fa80b4f22eeefc5aad74fd2544ccf0852d5ad", "type": "machine_learning", "version": 103 }, "ba81c182-4287-489d-af4d-8ae834b06040": { - "min_stack_version": "8.3", "rule_name": "Kernel Driver Load by non-root User", "sha256": "8c938c1fdbabd146fcde85cf8129c9bd1bcf1dd989aaf68650cd11bf09181844", "type": "eql", "version": 3 }, "baa5d22c-5e1c-4f33-bfc9-efa73bb53022": { - "min_stack_version": "8.3", "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", "sha256": "e224bdce56aa39ba7fca19f483ee4080daea489a943e6211cb1ec88aa1754671", "type": "eql", "version": 109 }, "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": { - "min_stack_version": "8.3", "rule_name": "Azure Resource Group Deletion", "sha256": "d6e81ca3325b8461c497b7a0edcb7ba2a438aaadc2af98f490696891126c3576", "type": "query", "version": 102 }, "bb9b13b2-1700-48a8-a750-b43b0a72ab69": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS EC2 Encryption Disabled", - "sha256": "2e9848fe420de87afde4a086d63bb5d02bb91f3da348bd0eed54b6f7993a85cd", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS EC2 Encryption Disabled", "sha256": "8d31ea9768807181a7d1aca8eb47a8f3c015b3412c46ccf6963c5e06b676e834", "type": "query", "version": 206 }, "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "OneDrive Malware File Upload", - "sha256": "4f273dae13ee4bb9564a60c6771439fc10cd7f3357de2aa65839ff10d4cde814", - "type": "query", - "version": 106 - } - }, "rule_name": "OneDrive Malware File Upload", "sha256": "b2abdce89d919f7eaeb571349e52d6d14eac86020237f33d935576d9f83954aa", "type": "query", "version": 206 }, "bbaa96b9-f36c-4898-ace2-581acb00a409": { - "min_stack_version": "8.3", "rule_name": "Potential SYN-Based Network Scan Detected", "sha256": "8413e204b3d4d4145ea9cfe859daf5ecaf39fd776bf87f7090a82205de0b5b52", "type": "threshold", "version": 5 }, "bbd1a775-8267-41fa-9232-20e5582596ac": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 206, - "rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed", - "sha256": "f4f0da241f45040111a47879928011d3b90da922010348154b5cb1c44d2f24ee", - "type": "query", - "version": 107 - } - }, "rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed", "sha256": "bfeee6d64b53fd5857ae139679a0455df0d0127f55134eadfdf8053869f558f3", "type": "query", "version": 207 }, "bc0c6f0d-dab0-47a3-b135-0925f0a333bc": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "AWS Root Login Without MFA", - "sha256": "40f1b53ce3bb3464e8d8bbad167820d4d5b70e24358eef7c18c72fcdaf161f26", - "type": "query", - "version": 108 - } - }, "rule_name": "AWS Root Login Without MFA", "sha256": "82c85c3ffc9f5335daf17ae1f400177234e73823fc5f5c563c9c6285a03f1157", "type": "query", "version": 209 }, "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": { - "min_stack_version": "8.3", "rule_name": "GCP Storage Bucket Deletion", "sha256": "56e79003e4ad65163eb8f9aaf96239590b6a756222a60be2d8115a39b4c1a54d", "type": "query", @@ -7274,223 +5412,168 @@ "version": 2 }, "bc1eeacf-2972-434f-b782-3a532b100d67": { - "min_stack_version": "8.3", "rule_name": "Attempt to Install Root Certificate", "sha256": "903b93770a64c71465333adf2e585d4931a592eccfe4eb954cadab052441c972", "type": "query", "version": 106 }, "bc48bba7-4a23-4232-b551-eca3ca1e3f20": { - "min_stack_version": "8.3", "rule_name": "Azure Conditional Access Policy Modified", "sha256": "cfacc3ddc30a65458618914bcd492cf9fbb25d104b2271afdb3ff3fef7bf0c0c", "type": "query", "version": 102 }, "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": { - "min_stack_version": "8.3", "rule_name": "Potential Non-Standard Port SSH connection", "sha256": "68365d0090a647d05f3396ace9d86f2c79f607bef610741ce9c4240ccfa0de26", "type": "eql", "version": 5 }, "bc9e4f5a-e263-4213-a2ac-1edf9b417ada": { - "min_stack_version": "8.3", "rule_name": "File and Directory Permissions Modification", "sha256": "7952e5bdcb6bd4b0314d08e1b8ab86c34ce066c95e0bbe8a056527df93794139", "type": "eql", "version": 2 }, "bca7d28e-4a48-47b1-adb7-5074310e9a61": { - "min_stack_version": "8.3", "rule_name": "GCP Service Account Disabled", "sha256": "10252c6946a904bb799ac153943817d274319179587022f10240f3e65af79ace", "type": "query", "version": 104 }, "bcaa15ce-2d41-44d7-a322-918f9db77766": { - "min_stack_version": "8.9", "rule_name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain", "sha256": "37e01c0b463876a5acee70bb565d205c8a2e8c5a7b3d99a24e16939f97360a9f", "type": "query", "version": 3 }, "bd2c86a0-8b61-4457-ab38-96943984e889": { - "min_stack_version": "8.3", "rule_name": "PowerShell Keylogging Script", "sha256": "92008de004bfec5733b4d1f7cd48ddbe75ac79f7f3c92d54d71bd7f5447d260d", "type": "query", "version": 112 }, "bd3d058d-5405-4cee-b890-337f09366ba2": { - "min_stack_version": "8.3", "rule_name": "Potential Defense Evasion via CMSTP.exe", "sha256": "f9a5163bfb60ec1ac26ac681518a193a85b03a87dac342a3579a7b2ae3628e0b", "type": "eql", "version": 2 }, "bd7eefee-f671-494e-98df-f01daf9e5f17": { - "min_stack_version": "8.3", "rule_name": "Suspicious Print Spooler Point and Print DLL", "sha256": "6214fb2abc887c66d7d514ccfc914faf98cb9befe4cb35f2f58a0e300787eb5c", "type": "eql", "version": 106 }, "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": { - "min_stack_version": "8.3", "rule_name": "Potential Pspy Process Monitoring Detected", "sha256": "3ebba1b3c0653e611e5c1abc4e917c868371220b6fb55954eafa7a8d7c6cf5fe", "type": "eql", "version": 7 }, "bdcf646b-08d4-492c-870a-6c04e3700034": { - "min_stack_version": "8.3", "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", "sha256": "c437d0e4938701b867702b775bb69d57f44e45a03be5d63d90f0dcde14ccbf39", "type": "eql", "version": 108 }, "bdfebe11-e169-42e3-b344-c5d2015533d3": { - "min_stack_version": "8.9", "rule_name": "Suspicious Windows Process Cluster Spawned by a Host", "sha256": "84baf4890842c179a0724a3835388a16dedfe1046dfd94a9b617aa56b37a7a2f", "type": "machine_learning", "version": 4 }, "be4c5aed-90f5-4221-8bd5-7ab3a4334751": { - "min_stack_version": "8.9", "rule_name": "Unusual Remote File Directory", "sha256": "f6b1ce1e97f8a9dd95bb99809d5d9a7bab6a0922fb0861afadc24970477e3b3f", "type": "machine_learning", "version": 3 }, "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { - "min_stack_version": "8.3", "rule_name": "Searching for Saved Credentials via VaultCmd", "sha256": "a22b02dc207eed11a68b3bf9569d0f06d0bfcc3b14a71b32fc505ee86b53aed4", "type": "eql", "version": 109 }, "bf1073bf-ce26-4607-b405-ba1ed8e9e204": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS RDS Snapshot Restored", - "sha256": "aa3da4102533524658662c93b127d4c25ca56ed19c01be2a8904cd695347b3d6", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS RDS Snapshot Restored", "sha256": "867302d2c993c7e6bb06acb3bb9784e8de51117e6d0fdd1a5a8e040e24fab59f", "type": "query", "version": 206 }, "bf8c007c-7dee-4842-8e9a-ee534c09d205": { - "min_stack_version": "8.3", "rule_name": "System Owner/User Discovery Linux", "sha256": "b8fb8512af046215fe23d076d16414d669430c692eb57d16eba03ea13e2e03df", "type": "eql", "version": 3 }, "bfba5158-1fd6-4937-a205-77d96213b341": { - "min_stack_version": "8.9", "rule_name": "Potential Data Exfiltration Activity to an Unusual Region", "sha256": "385716bc0770d6b023580d5b0a92a34581e351560a3bd43bd4ce2b3b01ef84c1", "type": "machine_learning", "version": 3 }, "bfeaf89b-a2a7-48a3-817f-e41829dc61ee": { - "min_stack_version": "8.3", "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", "sha256": "630b95897e137de2d3ff315926d388d39ed6ad5c19948a8fe0cb4c564d32b99e", "type": "eql", "version": 111 }, "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": { - "min_stack_version": "8.3", "rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy", "sha256": "5443c5577d436ff7ea5d9802accfe2fff6ea50813a238c85ff0b60dc1a102579", "type": "eql", "version": 107 }, "c0429aa8-9974-42da-bfb6-53a0a515a145": { - "min_stack_version": "8.3", "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", "sha256": "8020f015d723e31af612bbc7e570f0f7a2bf57c3cc13447eb5bccd3e39385ca8", "type": "eql", "version": 109 }, "c0b9dc99-c696-4779-b086-0d37dc2b3778": { - "min_stack_version": "8.3", "rule_name": "Memory Dump File with Unusual Extension", "sha256": "647f3ad965f3c8ae1c09160f3cfab647649612e66c8bb2dd746309e241322f1c", "type": "eql", "version": 2 }, "c0be5f31-e180-48ed-aa08-96b36899d48f": { - "min_stack_version": "8.3", "rule_name": "Credential Manipulation - Detected - Elastic Endgame", "sha256": "5bcb1915b28b6a1282d3b512b13b559f6d0256da8db229d9210b4a03f2fe6af3", "type": "query", "version": 103 }, "c125e48f-6783-41f0-b100-c3bf1b114d16": { - "min_stack_version": "8.5", "rule_name": "Suspicious Renaming of ESXI index.html File", "sha256": "5e8b6b9370d7f11367a4da3f7d0911702117a24814ab84a0bf12ae972ff4c2aa", "type": "eql", "version": 6 }, "c1812764-0788-470f-8e74-eb4a14d47573": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS EC2 Full Network Packet Capture Detected", - "sha256": "c8fb1a9316a7bc5541a685e19440d21f4c158350903c4e21b6225360fee8258d", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS EC2 Full Network Packet Capture Detected", "sha256": "c3267472104e0888d5c9e55574ae19d07c39c00e8c6a76a01fc766fbb0689f63", "type": "query", "version": 206 }, "c20cd758-07b1-46a1-b03f-fa66158258b8": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 100, - "rule_name": "Unsigned DLL Loaded by a Trusted Process", - "sha256": "bb5c65b28dc087548516c6b186539ffc5f02db3440942a539777c49bd9e1e878", - "type": "eql", - "version": 1 - } - }, "rule_name": "Unsigned DLL Loaded by a Trusted Process", "sha256": "0b870b52c44ffcdcdcf7c0775290f7446486c04dc8890ea633df8c1ba33f8a43", "type": "eql", "version": 102 }, "c25e9c87-95e1-4368-bfab-9fd34cf867ec": { - "min_stack_version": "8.3", "rule_name": "Microsoft IIS Connection Strings Decryption", "sha256": "03334e1d43f8d53c06b92628435b5af954f2211ff41ff4ed7467bf8a8065cdef", "type": "eql", "version": 110 }, "c28c4d8c-f014-40ef-88b6-79a1d67cd499": { - "min_stack_version": "8.3", "rule_name": "Unusual Linux Network Connection Discovery", "sha256": "197e0ebe16417250c895c6ab8ef0894bdebdd8535da44dc8426106a4eb63b02d", "type": "machine_learning", "version": 103 }, "c292fa52-4115-408a-b897-e14f684b3cb7": { - "min_stack_version": "8.3", "rule_name": "Persistence via Folder Action Script", "sha256": "8249dd1544fa4a71d15bdd5d893422c51458d358b8c77ac350b3d7b9ad0d2cfa", "type": "eql", @@ -7504,112 +5587,96 @@ "version": 2 }, "c2d90150-0133-451c-a783-533e736c12d7": { - "min_stack_version": "8.3", "rule_name": "Mshta Making Network Connections", "sha256": "7b3bec275d247d0cc1c4772be5f41fcfca282df6146f830777ed87b4c663f7e5", "type": "eql", "version": 107 }, "c3167e1b-f73c-41be-b60b-87f4df707fe3": { - "min_stack_version": "8.3", "rule_name": "Permission Theft - Detected - Elastic Endgame", "sha256": "bc09245f3bf048bc8d9e4f1ca381711fc8fa9d71f6533673b7f573f84061f6d5", "type": "query", "version": 103 }, "c3b915e0-22f3-4bf7-991d-b643513c722f": { - "min_stack_version": "8.3", "rule_name": "Persistence via BITS Job Notify Cmdline", "sha256": "54084b270ff6d62016cb72d63b981f4db5bac2d188dd59aa5079986bd918e156", "type": "eql", "version": 107 }, "c3f5e1d8-910e-43b4-8d44-d748e498ca86": { - "min_stack_version": "8.3", "rule_name": "Potential JAVA/JNDI Exploitation Attempt", "sha256": "0776cc8251cdbd9e2e2060a17b2300834a0ed4a49489a105abb3c0dd75b19cc8", "type": "eql", "version": 104 }, "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": { - "min_stack_version": "8.3", "rule_name": "Mounting Hidden or WebDav Remote Shares", "sha256": "a814b9dc474566b81d9b80f83a1fbb21d506490be5d1a791c6a040402576193e", "type": "eql", "version": 109 }, "c4818812-d44f-47be-aaef-4cfb2f9cc799": { - "min_stack_version": "8.3", "rule_name": "Suspicious Print Spooler File Deletion", "sha256": "6764db9d99a9d2a1bce0efae356412f7b62f66204dfe3496cf5d8e142aa916ff", "type": "eql", "version": 107 }, "c4e9ed3e-55a2-4309-a012-bc3c78dad10a": { - "min_stack_version": "8.3", "rule_name": "Windows System Network Connections Discovery", "sha256": "9f1ea7adcf3b05426387f5598da3b596e34f4fc1553a4ed33b48ec687a455ed4", "type": "eql", "version": 4 }, "c55badd3-3e61-4292-836f-56209dc8a601": { - "min_stack_version": "8.3", "rule_name": "Attempted Private Key Access", "sha256": "92447cf8bb6de4a626ecd420b9c64922484cb49f216d13292e833c1abdb4786c", "type": "eql", "version": 3 }, "c5677997-f75b-4cda-b830-a75920514096": { - "min_stack_version": "8.3", "rule_name": "Service Path Modification via sc.exe", "sha256": "6d70ac346b080bca5ad2083c56ff66bd01f63204483b047353855e7898b39862", "type": "eql", "version": 3 }, "c57f8579-e2a5-4804-847f-f2732edc5156": { - "min_stack_version": "8.3", "rule_name": "Potential Remote Desktop Shadowing Activity", "sha256": "2d3a93d4e613dace19446854539467cead96901968f44270796ce546beeb940a", "type": "eql", "version": 109 }, "c58c3081-2e1d-4497-8491-e73a45d1a6d6": { - "min_stack_version": "8.3", "rule_name": "GCP Virtual Private Cloud Network Deletion", "sha256": "7f47bc00b67f2997890fd47eff9350e23e6effea54914edcbb180c321a553276", "type": "query", "version": 104 }, "c5c9f591-d111-4cf8-baec-c26a39bc31ef": { - "min_stack_version": "8.3", "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", "sha256": "bd759b2a552a5ce6a16e041b6708cf7215821c978d6c820100f29ff8567b357f", "type": "eql", "version": 108 }, "c5ce48a6-7f57-4ee8-9313-3d0024caee10": { - "min_stack_version": "8.3", "rule_name": "Installation of Custom Shim Databases", "sha256": "7ea702b1b6d7a8309d8d11e16505cb9ca2a3b1c906e7aeadacdefea24d0397b6", "type": "eql", "version": 108 }, "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { - "min_stack_version": "8.3", "rule_name": "Microsoft Build Engine Started by an Office Application", "sha256": "a8e1a000f912f5f42f3894fdca0458d10666994f165781a4fbd5db031f5a6712", "type": "eql", "version": 110 }, "c5f81243-56e0-47f9-b5bb-55a5ed89ba57": { - "min_stack_version": "8.3", "rule_name": "CyberArk Privileged Access Security Recommended Monitor", "sha256": "13f4c23dbe61be7af51b9b4e4a27b192c9305f1caa67119f4ea89ac89792737f", "type": "query", "version": 102 }, "c6453e73-90eb-4fe7-a98c-cde7bbfc504a": { - "min_stack_version": "8.3", "rule_name": "Remote File Download via MpCmdRun", "sha256": "3338fefccfc7c7d86404c1a054f09f2b43fdbeadba93b27dcfe7c04d6994303f", "type": "eql", @@ -7624,7 +5691,7 @@ "c749e367-a069-4a73-b1f2-43a3798153ad": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 205, "rule_name": "Attempt to Delete an Okta Network Zone", "sha256": "fdb6f5c18f3893647e63e19723c1ad7c3f352be39e233b1273d08b6cd09edd5a", @@ -7640,7 +5707,7 @@ "c74fd275-ab2c-4d49-8890-e2943fa65c09": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 204, "rule_name": "Attempt to Modify an Okta Application", "sha256": "d467d49b83c884e4c1d43dc2f0e1dc879ceda77762f45968124a97e4fbacd2b0", @@ -7654,65 +5721,48 @@ "version": 205 }, "c7894234-7814-44c2-92a9-f7d851ea246a": { - "min_stack_version": "8.3", "rule_name": "Unusual Network Connection via DllHost", "sha256": "5bffb108e728d78c04b4974f087af87b6352942f82977a580fcc749a742fffc6", "type": "eql", "version": 107 }, "c7908cac-337a-4f38-b50d-5eeb78bdb531": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 199, - "rule_name": "Kubernetes Privileged Pod Created", - "sha256": "e431240326e0ddb66017b695a15db0269ad7b4e5bde7cf37b10f01159fb9da19", - "type": "query", - "version": 101 - } - }, "rule_name": "Kubernetes Privileged Pod Created", "sha256": "276c33d57b4e3046ff3bf3eab838110627d9f8d9214a01036a62561084c6073a", "type": "query", "version": 203 }, "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": { - "min_stack_version": "8.3", "rule_name": "Unusual File Modification by dns.exe", "sha256": "b865aba340d622e5f6840586849e814be1e565d1c59e1fcba5509683315c91cf", "type": "eql", "version": 110 }, "c7db5533-ca2a-41f6-a8b0-ee98abe0f573": { - "min_stack_version": "8.3", "rule_name": "Spike in Network Traffic To a Country", "sha256": "93087ad72f05b99dd3bc9858cd5edfd5ed9d21a4afa6e01d0d798e78b4e9ab61", "type": "machine_learning", "version": 104 }, "c81cefcb-82b9-4408-a533-3c3df549e62d": { - "min_stack_version": "8.3", "rule_name": "Persistence via Docker Shortcut Modification", "sha256": "8e087bd16e3f663e5c0dd49d81cd2d8d302ffeabec5dc9bc31693752e7e6ed37", "type": "query", "version": 107 }, "c82b2bd8-d701-420c-ba43-f11a155b681a": { - "min_stack_version": "8.3", "rule_name": "SMB (Windows File Sharing) Activity to the Internet", "sha256": "6420c0fe2bee67b51779e539f2cfe3b480539c36abf148d1d69db79d6f2e8f67", "type": "query", "version": 103 }, "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": { - "min_stack_version": "8.3", "rule_name": "Direct Outbound SMB Connection", "sha256": "a30cf230b1215a2e0fd884167dfbb8fd92e5b63fa7a5cb2c9e9a8a306316de4d", "type": "eql", "version": 110 }, "c85eb82c-d2c8-485c-a36f-534f914b7663": { - "min_stack_version": "8.3", "rule_name": "Virtual Machine Fingerprinting via Grep", "sha256": "a8a7e92874d6888c32575ca236fb263ec128596d8a4d510a265b8fad36cb1827", "type": "eql", @@ -7725,65 +5775,48 @@ "version": 100 }, "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2": { - "min_stack_version": "8.3", "rule_name": "Parent Process PID Spoofing", "sha256": "43c26bdd413e7e6c52b50b9c579663b2ab48285b83a1f794fd636727baf21733", "type": "eql", "version": 106 }, "c8935a8b-634a-4449-98f7-bb24d3b2c0af": { - "min_stack_version": "8.3", "rule_name": "Potential Linux Ransomware Note Creation Detected", "sha256": "a6ee22bb7fef22f21c9792186337bc557bd1aaba670d4de8d077fd7892d46ad2", "type": "eql", "version": 8 }, "c8b150f0-0164-475b-a75e-74b47800a9ff": { - "min_stack_version": "8.3", "rule_name": "Suspicious Startup Shell Folder Modification", "sha256": "a3f4ddc31c6570250920dc60269e68ec6344884c88aba870fb9998c5c1fb5319", "type": "eql", "version": 110 }, "c8cccb06-faf2-4cd5-886e-2c9636cfcb87": { - "min_stack_version": "8.3", "rule_name": "Disabling Windows Defender Security Settings via PowerShell", "sha256": "2326092f64de27cbf684cdd4130d6f8695d0a42277b02fff7ebcc62350e56411", "type": "eql", "version": 110 }, "c9482bfa-a553-4226-8ea2-4959bd4f7923": { - "min_stack_version": "8.3", "rule_name": "Potential Masquerading as Communication Apps", "sha256": "b8c86e533a37c36a2eaef8f1d48ca8aa5a24b6665dc2328de3b3cc5eb1d2ad51", "type": "eql", "version": 5 }, "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { - "min_stack_version": "8.3", "rule_name": "Credential Manipulation - Prevented - Elastic Endgame", "sha256": "0c167eb4f05fabb720f52a987923b25796c8f0a3bffbd753aa699a1c8a8e26b3", "type": "query", "version": 103 }, "ca79768e-40e1-4e45-a097-0e5fbc876ac2": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification", - "sha256": "fdddb91dc8eaf01e3cca5626ab5e3b2c4ef51e15a8544385057399574b3d9b3b", - "type": "query", - "version": 106 - } - }, "rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification", "sha256": "35f6d54b3e3c26169e00e55122b6e68ac8018946a2b9dd31d26fdb36faa90d82", "type": "query", "version": 206 }, "ca98c7cf-a56e-4057-a4e8-39603f7f0389": { - "min_stack_version": "8.4", "rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder", "sha256": "6b71d73f704e96ab028ab9aa5fef9a3b487e35fe5cc322c1a118c9102720af9a", "type": "eql", @@ -7796,39 +5829,18 @@ "version": 100 }, "cac91072-d165-11ec-a764-f661ea17fbce": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 206, - "rule_name": "Abnormal Process ID or Lock File Created", - "sha256": "6ab73acfdcd8636a87c0fd8b1342d5e96de8cbd74ed0e4f4dbb689c32a3cbffa", - "type": "eql", - "version": 108 - } - }, "rule_name": "Abnormal Process ID or Lock File Created", "sha256": "b4f2c9fe5dcc43eb113d00600fc6a7ca5091c0957af96c084ee2d9a790aa3a2a", "type": "new_terms", "version": 213 }, "cad4500a-abd7-4ef3-b5d3-95524de7cfe1": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Google Workspace MFA Enforcement Disabled", - "sha256": "a8e10bb292478990aa0c82694fcd3621b81383a8058b87a25449238641d59e3b", - "type": "query", - "version": 107 - } - }, "rule_name": "Google Workspace MFA Enforcement Disabled", "sha256": "8a1f92b90737453373b48d24dd4dfd6e29615794a9ccaf5df7ba1a0ecf5d5e2a", "type": "query", "version": 207 }, "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": { - "min_stack_version": "8.3", "rule_name": "Suspicious Calendar File Modification", "sha256": "662489a94a180344e4b3e1c2aa679d4fe1ec51f91387a216835b0e11a14db9da", "type": "query", @@ -7841,7 +5853,6 @@ "version": 100 }, "cc2fd2d0-ba3a-4939-b87f-2901764ed036": { - "min_stack_version": "8.3", "rule_name": "Attempt to Enable the Root Account", "sha256": "c2c3f92e6fb953e4f0338ffe25751df1ae713c9f7e8460ce2addfd9d8bf8e59d", "type": "query", @@ -7855,30 +5866,18 @@ "version": 2 }, "cc653d77-ddd2-45b1-9197-c75ad19df66c": { - "min_stack_version": "8.9", "rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address", "sha256": "fe1015d6d9d15270cdedd676b577c3057d2552db4ce585e3c82437e7999cc037", "type": "machine_learning", "version": 3 }, "cc6a8a20-2df2-11ed-8378-f661ea17fbce": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 103, - "rule_name": "Google Workspace User Organizational Unit Changed", - "sha256": "50eab7a58d52dc1eb0e8d8af2d5ca140762dfdf60970d1e7d5fcbf80aff362f4", - "type": "query", - "version": 5 - } - }, "rule_name": "Google Workspace User Organizational Unit Changed", "sha256": "98638b8378e232c3d8a54f3b4ec12fa3eae908ba56a658c7557b22c25766b823", "type": "query", "version": 106 }, "cc89312d-6f47-48e4-a87c-4977bd4633c3": { - "min_stack_version": "8.3", "rule_name": "GCP Pub/Sub Subscription Deletion", "sha256": "be76246406041025864af7eeea3c9600ab406bf778763b00a6ea6e6489240408", "type": "query", @@ -7887,7 +5886,7 @@ "cc92c835-da92-45c9-9f29-b4992ad621a0": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 206, "rule_name": "Attempt to Deactivate an Okta Policy Rule", "sha256": "ed2062f991db0a0dce267846fe8363883628421221166f8246b4924828f02999", @@ -7901,7 +5900,6 @@ "version": 207 }, "ccc55af4-9882-4c67-87b4-449a7ae8079c": { - "min_stack_version": "8.3", "rule_name": "Potential Process Herpaderping Attempt", "sha256": "7358d900c0332bbc2ea6bd00db02a9d7ce7199fcbd5ffea5cce60caf11cc99c2", "type": "eql", @@ -7910,7 +5908,7 @@ "cd16fb10-0261-46e8-9932-a0336278cdbe": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 205, "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", "sha256": "32c09cb649d10eb0d58645624f6534db9c40073e42552b0381f5b414e9c58bb6", @@ -7930,21 +5928,18 @@ "version": 100 }, "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530": { - "min_stack_version": "8.3", "rule_name": "Anomalous Linux Compiler Activity", "sha256": "ac7fe1661692762ebf3969e3980d674808ea8cf32e188619fd6e08de268af793", "type": "machine_learning", "version": 103 }, "cd66a5af-e34b-4bb0-8931-57d0a043f2ef": { - "min_stack_version": "8.3", "rule_name": "Kernel Module Removal", "sha256": "8e7fd75b780b1265825a7a783ea3000b983acf3ce3100a49edb797139b01e31f", "type": "eql", "version": 109 }, "cd82e3d6-1346-4afd-8f22-38388bbf34cb": { - "min_stack_version": "8.3", "rule_name": "Downloaded URL Files", "sha256": "1a31489f793c58d433963910d8327747a3e7824bf11685358836a38183e8aca0", "type": "eql", @@ -7953,7 +5948,7 @@ "cd89602e-9db0-48e3-9391-ae3bf241acd8": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 205, "rule_name": "Attempt to Deactivate MFA for an Okta User Account", "sha256": "173487533fb84ffd2bbd8598bf0ac4f518f295cc6715c381743a3fe6d0f14ec7", @@ -7969,7 +5964,7 @@ "cdbebdc1-dc97-43c6-a538-f26a20c0a911": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 206, "rule_name": "Okta User Session Impersonation", "sha256": "36a5fb5b929045a84f302c057459e3b5e6eb50cb409fc5a9edf6cdcd47f30ee5", @@ -7985,7 +5980,7 @@ "cde1bafa-9f01-4f43-a872-605b678968b0": { "min_stack_version": "8.12", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 110, "rule_name": "Potential PowerShell HackTool Script by Function Names", "sha256": "e4ac68b4b9ff58cc55eedd8f6d7ef11a2ddc48c4f339955ad2f2ecf0e531e8aa", @@ -7999,107 +5994,84 @@ "version": 111 }, "ce08b55a-f67d-4804-92b5-617b0fe5a5b5": { - "min_stack_version": "8.8", "rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)", "sha256": "557be18d473f0dab21314e36e19724bf288eed2289446960d75923b23429b4ca", "type": "new_terms", "version": 1 }, "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { - "min_stack_version": "8.3", "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", "sha256": "38c701cbddca58faa29370862beddbbc9839ee8f8ef4985c006e2f03acecfdb7", "type": "eql", "version": 109 }, "cf53f532-9cc9-445a-9ae7-fced307ec53c": { - "min_stack_version": "8.3", "rule_name": "Cobalt Strike Command and Control Beacon", "sha256": "ddb4b9d7e2f95d26c85ab37fb9696c58aa1f937e5f4788214b8711b988206967", "type": "query", "version": 105 }, "cf549724-c577-4fd6-8f9b-d1b8ec519ec0": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 202, - "rule_name": "Domain Added to Google Workspace Trusted Domains", - "sha256": "c773965d1c83361d3745d38a93d9ac9380056a79a5f3d4ebff542d94a9a369ce", - "type": "query", - "version": 104 - } - }, "rule_name": "Domain Added to Google Workspace Trusted Domains", "sha256": "15e692b56a4792a0434440ea85ef264cbfb31e1ebd9bdc618a03987f928a53a1", "type": "query", "version": 205 }, "cf575427-0839-4c69-a9e6-99fde02606f3": { - "min_stack_version": "8.6", "rule_name": "Unusual Discovery Activity by User", "sha256": "2dec950ffa14b4863a879f391b045196709a774f032c8bc35d8f61ba20e2bfff", "type": "new_terms", "version": 1 }, "cf6995ec-32a9-4b2d-9340-f8e61acf3f4e": { - "min_stack_version": "8.3", "rule_name": "Trap Signals Execution", "sha256": "1a696ba4be544120eb0807e5df6957584e991663b97f6a7176337094b9cd85b4", "type": "eql", "version": 2 }, "cff92c41-2225-4763-b4ce-6f71e5bda5e6": { - "min_stack_version": "8.3", "rule_name": "Execution from Unusual Directory - Command Line", "sha256": "1e5d776df1e502f5d444b1a1e6cdcfc3de4ad784a603e7e0f23aaed9eae2f766", "type": "eql", "version": 112 }, "cffbaf47-9391-4e09-a83c-1f27d7474826": { - "min_stack_version": "8.3", "rule_name": "Archive File with Unusual Extension", "sha256": "18c93a2cdc51a8d42ddeac46edeabbdc0d991b52e2dd4e74054eba59583adee3", "type": "eql", "version": 2 }, "d00f33e7-b57d-4023-9952-2db91b1767c4": { - "min_stack_version": "8.3", "rule_name": "Namespace Manipulation Using Unshare", "sha256": "258bf65e5da42c0bef720f575c963343ace055871316f6bba6ec31b60869c06e", "type": "eql", "version": 9 }, "d0b0f3ed-0b37-44bf-adee-e8cb7de92767": { - "min_stack_version": "8.8", "rule_name": "AWS Credentials Searched For Inside A Container", "sha256": "27918dd9cf339832d9efc37e0b589ce887eae09959450ae8a4297df5ba0f040e", "type": "eql", "version": 1 }, "d0e159cf-73e9-40d1-a9ed-077e3158a855": { - "min_stack_version": "8.3", "rule_name": "Registry Persistence via AppInit DLL", "sha256": "4ec85ed3f6241a6015c998b91cdbbcf438629be2a40cdbfce1a173ebabd7c292", "type": "eql", "version": 110 }, "d117cbb4-7d56-41b4-b999-bdf8c25648a0": { - "min_stack_version": "8.3", "rule_name": "Symbolic Link to Shadow Copy Created", "sha256": "c8d1d7cc4181248cc8906dbc6d37aa62c162ed9bde92f7b4daf42b912e451197", "type": "eql", "version": 111 }, "d12bac54-ab2a-4159-933f-d7bcefa7b61d": { - "min_stack_version": "8.3", "rule_name": "Expired or Revoked Driver Loaded", "sha256": "ea840a544f731bf59d6e9ef5ab6773395bd85b0b68618e2116a391972ab21fa2", "type": "eql", "version": 5 }, "d197478e-39f0-4347-a22f-ba654718b148": { - "min_stack_version": "8.3", "rule_name": "Compression DLL Loaded by Unusual Process", "sha256": "e50bbd58e226d8bbd59de277de10019d3228aabae3308cc310c43c5f89b1c0ce", "type": "eql", @@ -8112,42 +6084,36 @@ "version": 100 }, "d22a85c6-d2ad-4cc4-bf7b-54787473669a": { - "min_stack_version": "8.3", "rule_name": "Potential Microsoft Office Sandbox Evasion", "sha256": "60d547919df01902f6d9894993e128a708f3086fe89e9058b7ff57338d0a5fa2", "type": "query", "version": 106 }, "d31f183a-e5b1-451b-8534-ba62bca0b404": { - "min_stack_version": "8.3", "rule_name": "Disabling User Account Control via Registry Modification", "sha256": "603191c9e9fe22a6f972c18bfb548360ab4f4b1378a58e8a4a24479548e8b1d0", "type": "eql", "version": 110 }, "d331bbe2-6db4-4941-80a5-8270db72eb61": { - "min_stack_version": "8.3", "rule_name": "Clearing Windows Event Logs", "sha256": "1c0780a844be282bd8fdfb0d608fa65473ba2d01d1a5be9e50e2e08039542576", "type": "eql", "version": 112 }, "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": { - "min_stack_version": "8.3", "rule_name": "Remote Windows Service Installed", "sha256": "63102ba4aec4aaab713fffceebe688d706bb41cdf8bcf23d4055467011cb9fb9", "type": "eql", "version": 6 }, "d3551433-782f-4e22-bbea-c816af2d41c6": { - "min_stack_version": "8.3", "rule_name": "WMI WBEMTEST Utility Execution", "sha256": "76b2081709ea9b401fc695d779a14dfa839fbd99eb19c8510b2ea6c5f7e7b4f4", "type": "eql", "version": 2 }, "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { - "min_stack_version": "8.3", "rule_name": "Shell Execution via Apple Scripting", "sha256": "71aae69ea3a3fbd1d8e627c5d0fd9b6f7a01313216ddf8c23df060835c0864fd", "type": "eql", @@ -8156,7 +6122,7 @@ "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 204, "rule_name": "Attempt to Delete an Okta Application", "sha256": "ec2d2014d13ce312c51e80554c30af695049e703918b7f1b19da53f58154d6f7", @@ -8170,35 +6136,30 @@ "version": 205 }, "d49cc73f-7a16-4def-89ce-9fc7127d7820": { - "min_stack_version": "8.3", "rule_name": "Web Application Suspicious Activity: sqlmap User Agent", "sha256": "f10cb94a414e6983ebdaa36e5c4a332a76a4d06134043937967fdf2e2faa2cc7", "type": "query", "version": 102 }, "d4af3a06-1e0a-48ec-b96a-faf2309fae46": { - "min_stack_version": "8.3", "rule_name": "Unusual Linux System Information Discovery Activity", "sha256": "1823af90ab9f82af85f6752bb44ce24df6e0ef1e0722d477f91a55675de28c8f", "type": "machine_learning", "version": 103 }, "d4b73fa0-9d43-465e-b8bf-50230da6718b": { - "min_stack_version": "8.3", "rule_name": "Unusual Source IP for a User to Logon from", "sha256": "b9964a7773745de7f347665b66883623fc60d4e0e4a004d0b7e3b5cd79694041", "type": "machine_learning", "version": 103 }, "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": { - "min_stack_version": "8.3", "rule_name": "Linux init (PID 1) Secret Dump via GDB", "sha256": "809e2c52ca587a80879385c7226866c574d86e366a6787b0b1e8df77a8763e06", "type": "eql", "version": 6 }, "d55436a8-719c-445f-92c4-c113ff2f9ba5": { - "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via UID INT_MAX Bug Detected", "sha256": "4408eb01f3714ecf0f5cee312dafd363a2fbbc4a368846ab78b257fdcfef9924", "type": "eql", @@ -8212,7 +6173,6 @@ "version": 3 }, "d563aaba-2e72-462b-8658-3e5ea22db3a6": { - "min_stack_version": "8.3", "rule_name": "Privilege Escalation via Windir Environment Variable", "sha256": "42e3e1682134a7ed8c26d9a5ce2bcf4830d6a7af85268a0d2455a75e23119f6c", "type": "eql", @@ -8221,7 +6181,7 @@ "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 205, "rule_name": "Attempt to Delete an Okta Policy Rule", "sha256": "ef00abb177343a787a119303eaa0cb71aef503d40d309b2699d05fe0178157a6", @@ -8235,30 +6195,18 @@ "version": 206 }, "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": { - "min_stack_version": "8.3", "rule_name": "Service Command Lateral Movement", "sha256": "a06abd5554d50f0ebc9b99f80159dbf24d97dc6453dab05f27bd09f0e8884f42", "type": "eql", "version": 107 }, "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "AWS CloudWatch Log Stream Deletion", - "sha256": "e7f7445facc4da1f84ee331f6dbbf22337e319df0727349ff958c0f62154fd1f", - "type": "query", - "version": 108 - } - }, "rule_name": "AWS CloudWatch Log Stream Deletion", "sha256": "44a8abff6921cf217c396e51cf30499d8bee7d8f1544fa02f7d9e093e6648578", "type": "query", "version": 209 }, "d62b64a8-a7c9-43e5-aee3-15a725a794e7": { - "min_stack_version": "8.3", "rule_name": "GCP Pub/Sub Subscription Creation", "sha256": "981abcaff8eaa4e947885a8b6e60edb877602e6ec2974994837ffbf18e7085b4", "type": "query", @@ -8271,155 +6219,102 @@ "version": 100 }, "d68e95ad-1c82-4074-a12a-125fe10ac8ba": { - "min_stack_version": "8.3", "rule_name": "System Information Discovery via Windows Command Shell", "sha256": "e564b576c629a29ec8088864b78c7c81c8d46453cc5e038a33fdd24d4a3a2641", "type": "eql", "version": 10 }, "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", - "sha256": "3fa1ccf28083380bbb7d71135b1b5ab0753f90d5fde3ecdeda2cb4ffc6ae81aa", - "type": "query", - "version": 106 - } - }, "rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", "sha256": "e1c61b6847b137835d630c3eba3b8bf7a5da03bf08a0e81a27ca46637b093b91", "type": "query", "version": 206 }, "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": { - "min_stack_version": "8.3", "rule_name": "Modification of WDigest Security Provider", "sha256": "c7b2137213e37ccba915d2c30fa260188c065d8e939c56b72e4fd1f4001d72df", "type": "eql", "version": 109 }, "d72e33fc-6e91-42ff-ac8b-e573268c5a87": { - "min_stack_version": "8.3", "rule_name": "Command Execution via SolarWinds Process", "sha256": "84b33e85f61fe174e8ec6980e6480028773e96980d267505f090cfa2d2460192", "type": "eql", "version": 111 }, "d743ff2a-203e-4a46-a3e3-40512cfe8fbb": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion", - "sha256": "4a8ffe50aa43eaf2654ac6a51517203a86c2951828434a1cb60bb435707c5a6b", - "type": "query", - "version": 106 - } - }, "rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion", "sha256": "8ac44c71af4271eb13db4ef37b755bdfb7b4c9aa8f3ec7041a7a2ec06b98482d", "type": "query", "version": 206 }, "d74d6506-427a-4790-b170-0c2a6ddac799": { - "min_stack_version": "8.3", "rule_name": "Suspicious Memory grep Activity", "sha256": "b142483255de74b46aa32d1dd3a28f2821bb97997be6bae899e84c0d30fa9165", "type": "eql", "version": 2 }, "d75991f2-b989-419d-b797-ac1e54ec2d61": { - "min_stack_version": "8.7", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "SystemKey Access via Command Line", - "sha256": "48b8b3a40209f6422060e3de267b79054f2ad0313fc42c4cef21decadf490f4d", - "type": "query", - "version": 106 - } - }, "rule_name": "SystemKey Access via Command Line", "sha256": "6459c63e59f54f94e12abb17883b4ae2c8a99424f6e2c321c1647d47ce81c091", "type": "query", "version": 206 }, "d76b02ef-fc95-4001-9297-01cb7412232f": { - "min_stack_version": "8.3", "rule_name": "Interactive Terminal Spawned via Python", "sha256": "06fed263415e4ac3e3f062be3c0bc968c640a3632e4588fd2a405dbdac73f541", "type": "eql", "version": 110 }, "d79c4b2a-6134-4edd-86e6-564a92a933f9": { - "min_stack_version": "8.3", "rule_name": "Azure Blob Permissions Modification", "sha256": "4721b8fe47efb148dfe195f28255209d453662590443eac3aeb27c0ef998640f", "type": "query", "version": 103 }, "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": { - "min_stack_version": "8.3", "rule_name": "Spike in Logon Events", "sha256": "d252490036f46e2d8c44e6c0aec56feb27ef9539cd83c5430534df5a0189a203", "type": "machine_learning", "version": 103 }, "d7e62693-aab9-4f66-a21a-3d79ecdd603d": { - "min_stack_version": "8.3", "rule_name": "SMTP on Port 26/TCP", "sha256": "8bf03857acd5416922cae6018a42266418009a83c60f4fa6388d0ac603af5f0b", "type": "query", "version": 104 }, "d8ab1ec1-feeb-48b9-89e7-c12e189448aa": { - "min_stack_version": "8.3", "rule_name": "Untrusted Driver Loaded", "sha256": "9b90c86424390fccfc1959785af10eeade5e654612545617582dca1058cb17b8", "type": "eql", "version": 8 }, "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "AWS IAM Deactivation of MFA Device", - "sha256": "3c501df177ec97cc6f46663425f4c04cb979694688cd3bfad27f03a0d8a2ac53", - "type": "query", - "version": 108 - } - }, "rule_name": "AWS IAM Deactivation of MFA Device", "sha256": "e70bcba5f981ab9bc5d058baf0631ea65c4172e55502ae1f6b6fceeca1035906", "type": "query", "version": 209 }, "d99a037b-c8e2-47a5-97b9-170d076827c4": { - "min_stack_version": "8.3", "rule_name": "Volume Shadow Copy Deletion via PowerShell", "sha256": "32bc4e3bb16d80971b9c8bb068a743e7041477c34017d3fd5a9f1f42ca4873b1", "type": "eql", "version": 111 }, "da7733b1-fe08-487e-b536-0a04c6d8b0cd": { - "min_stack_version": "8.3", "rule_name": "Code Signing Policy Modification Through Registry", "sha256": "9ebf3042fc83b25b6a39a0cc87927cefb341ebb08bcce8749b4e07166ba98d0d", "type": "eql", "version": 9 }, "da7f5803-1cd4-42fd-a890-0173ae80ac69": { - "min_stack_version": "8.9", "rule_name": "Machine Learning Detected a DNS Request With a High DGA Probability Score", "sha256": "6ede570261a72bdcdf1e10f2f1fa1f9d331da8df7293f982df1b311120e88083", "type": "query", "version": 3 }, "da87eee1-129c-4661-a7aa-57d0b9645fad": { - "min_stack_version": "8.3", "rule_name": "Suspicious Service was Installed in the System", "sha256": "21882fe93edaef610a0b27aef9155e98576d28411bb1deb9914a0163f9f81694", "type": "eql", @@ -8432,42 +6327,36 @@ "version": 100 }, "daafdf96-e7b1-4f14-b494-27e0d24b11f6": { - "min_stack_version": "8.4", "rule_name": "Potential Pass-the-Hash (PtH) Attempt", "sha256": "fb420a72b427d67311f02098a93854b2a6bd5c733b6cbca4275ee920329b9b9e", "type": "new_terms", "version": 3 }, "dafa3235-76dc-40e2-9f71-1773b96d24cf": { - "min_stack_version": "8.3", "rule_name": "Multi-Factor Authentication Disabled for an Azure User", "sha256": "9bec414579dbdeb0c1a10611d7a97fa166af67379b6b69855a360097da1cc0ee", "type": "query", "version": 105 }, "db65f5ba-d1ef-4944-b9e8-7e51060c2b42": { - "min_stack_version": "8.3", "rule_name": "Network-Level Authentication (NLA) Disabled", "sha256": "5ba03fd03c459addbd61462891a2464974c59930a12e77a48efb688584584474", "type": "eql", "version": 3 }, "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": { - "min_stack_version": "8.3", "rule_name": "Execution via Windows Subsystem for Linux", "sha256": "3bcb0230882be5c94ef22fde8ca625bfde5e40e20e1e545cf8a0f68d01c7e8f3", "type": "eql", "version": 6 }, "db8c33a8-03cd-4988-9e2c-d0a4863adb13": { - "min_stack_version": "8.3", "rule_name": "Credential Dumping - Prevented - Elastic Endgame", "sha256": "5de5038a06b13f9d4d0b252316c5fc2a6d92c60d65cf8613bdde5c1514f4bd65", "type": "query", "version": 103 }, "dc0b7782-0df0-47ff-8337-db0d678bdb66": { - "min_stack_version": "8.3", "rule_name": "Suspicious Content Extracted or Decompressed via Funzip", "sha256": "e56d02dd6b3a5cd288516467c111539cbe759ada556ffe40e5d4f26a0e9c6ee0", "type": "eql", @@ -8480,132 +6369,90 @@ "version": 100 }, "dc71c186-9fe4-4437-a4d0-85ebb32b8204": { - "min_stack_version": "8.3", "rule_name": "Potential Hidden Process via Mount Hidepid", "sha256": "abccbf694da0eb306df7f606501df6d3e19475e12fbcd106342e187528d0ecf7", "type": "eql", "version": 8 }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { - "min_stack_version": "8.3", "rule_name": "Volume Shadow Copy Deletion via WMIC", "sha256": "2d9e1771d9606f5f38126860db0e8757d223c30ae4a1b3b93d60ac17b0127a99", "type": "eql", "version": 110 }, "dca28dee-c999-400f-b640-50a081cc0fd1": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "Unusual Country For an AWS Command", - "sha256": "09aabd7cf1fd572c2266143f903d21cbaedb757f619cc17b5f2c78b74e046946", - "type": "machine_learning", - "version": 108 - } - }, "rule_name": "Unusual Country For an AWS Command", "sha256": "e6e99ee2cb2084337de3331bcf945c7714a1fc79df6bc880c40dcb399e87a561", "type": "machine_learning", "version": 208 }, "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": { - "min_stack_version": "8.3", "rule_name": "Suspicious Execution from INET Cache", "sha256": "6b58cc9b14a7fac5ea7f584782e3f3c7161f78158b1ce3fe3c33928ebba3d84d", "type": "eql", "version": 2 }, "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": { - "min_stack_version": "8.3", "rule_name": "Attempt to Install Kali Linux via WSL", "sha256": "51ebf76d12a58d9db10b3a9d16c79ee0ae0672fa77f9fd0682b3796a7520351a", "type": "eql", "version": 7 }, "dd7f1524-643e-11ed-9e35-f661ea17fbcd": { - "min_stack_version": "8.3", "rule_name": "Reverse Shell Created via Named Pipe", "sha256": "d8b4bfe2baa5dc7735769bd51e37b1b139c521ec70d2ce8db325a4d6e409f82c", "type": "eql", "version": 6 }, "ddab1f5f-7089-44f5-9fda-de5b11322e77": { - "min_stack_version": "8.3", "rule_name": "NullSessionPipe Registry Modification", "sha256": "6c3d142ca53ffc037b333b4699eb891e35c11d1ca95aa3ae6347fb173bc33735", "type": "eql", "version": 108 }, "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { - "min_stack_version": "8.3", "rule_name": "Unusual Child Process from a System Virtual Process", "sha256": "0a0a64ff02f4040cf251994361f673fa3c6618edb6d38387c8adf5f5749f4b5a", "type": "eql", "version": 110 }, "debff20a-46bc-4a4d-bae5-5cdd14222795": { - "min_stack_version": "8.3", "rule_name": "Base16 or Base32 Encoding/Decoding Activity", "sha256": "a7f6c2c79e782df9aa8415605d72b36e28ac9b0ab828b6077ede6a98958a6977", "type": "eql", "version": 110 }, "ded09d02-0137-4ccc-8005-c45e617e8d4c": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 101, - "rule_name": "Query Registry using Built-in Tools", - "sha256": "b2ee224e76ea602717f6188bd78728ea09a54c1c694fb5041f9d7f0197db8ebd", - "type": "eql", - "version": 2 - } - }, "rule_name": "Query Registry using Built-in Tools", "sha256": "f96c303f816b1dd2758c8f7dd096711bacc5b826d610127acd0e425a321579cd", "type": "new_terms", "version": 105 }, "df0fd41e-5590-4965-ad5e-cd079ec22fa9": { - "min_stack_version": "8.6", "rule_name": "First Time Seen Driver Loaded", "sha256": "7e66246ea00c9698fbfa57311793c02739cbad96d59bd88bbda9dbc752e4ac58", "type": "new_terms", "version": 7 }, "df197323-72a8-46a9-a08e-3f5b04a4a97a": { - "min_stack_version": "8.3", "rule_name": "Unusual Windows User Calling the Metadata Service", "sha256": "d7b5f6ca8779a491a009ef24fa38c89815905e818546c5671f5dc05bd505e3ce", "type": "machine_learning", "version": 103 }, "df26fd74-1baa-4479-b42e-48da84642330": { - "min_stack_version": "8.3", "rule_name": "Azure Automation Account Created", "sha256": "b82b8d83b12f049d275d3f1d78e61640c6b772c160ca3844d5e09df9cf465669", "type": "query", "version": 102 }, "df6f62d9-caab-4b88-affa-044f4395a1e0": { - "min_stack_version": "8.3", "rule_name": "Dynamic Linker Copy", "sha256": "abf419807a9782b1ea278f1682ee0d5be74e340e248aa42cb3303c3a41892725", "type": "eql", "version": 108 }, "df7fda76-c92b-4943-bc68-04460a5ea5ba": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 199, - "rule_name": "Kubernetes Pod Created With HostPID", - "sha256": "8504c3a7241f7cfb70d23f3d06e6f6c5191c15f0ac37578efdc476c6230b04a6", - "type": "query", - "version": 101 - } - }, "rule_name": "Kubernetes Pod Created With HostPID", "sha256": "b912b62e03d307861dc557cdbfc8fe17d54f7b8a394fee4ec9e46e4539393622", "type": "query", @@ -8618,35 +6465,30 @@ "version": 100 }, "dffbd37c-d4c5-46f8-9181-5afdd9172b4c": { - "min_stack_version": "8.3", "rule_name": "Potential privilege escalation via CVE-2022-38028", "sha256": "6c482e61313171b3dc7b0d4085b1103871e12cb403c6fa1d2048781f9e805253", "type": "eql", "version": 1 }, "e00b8d49-632f-4dc6-94a5-76153a481915": { - "min_stack_version": "8.3", "rule_name": "Delayed Execution via Ping", "sha256": "c6fa799b2b134a4e7c34302b0b8f543c54dd38aaba6bfa93b1933a3374e41c71", "type": "eql", "version": 2 }, "e02bd3ea-72c6-4181-ac2b-0f83d17ad969": { - "min_stack_version": "8.3", "rule_name": "Azure Firewall Policy Deletion", "sha256": "fbf370e089437f900b3701b3d7a7af66a118801719201fe03fbfea44438802c0", "type": "query", "version": 102 }, "e052c845-48d0-4f46-8a13-7d0aba05df82": { - "min_stack_version": "8.3", "rule_name": "KRBTGT Delegation Backdoor", "sha256": "13d64c92f3533756a0657f2f8db2a099ab8cf25d1b5d1722dc5b880ec815bf34", "type": "query", "version": 107 }, "e0881d20-54ac-457f-8733-fe0bc5d44c55": { - "min_stack_version": "8.3", "rule_name": "System Service Discovery through built-in Windows Utilities", "sha256": "c1e96e42705eb2de534b4ce6fa40b16c522e2bb6f8f8a0f0ff6ea140ff22680b", "type": "eql", @@ -8655,7 +6497,7 @@ "e08ccd49-0380-4b2b-8d71-8000377d6e49": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 206, "rule_name": "Attempts to Brute Force an Okta User Account", "sha256": "8e33c2c08ab3335a16db298608f1b8b793646a2abf1362acb2c0f316433293d0", @@ -8669,81 +6511,54 @@ "version": 208 }, "e0cc3807-e108-483c-bf66-5a4fbe0d7e89": { - "min_stack_version": "8.3", "rule_name": "Potentially Suspicious Process Started via tmux or screen", "sha256": "da9fb3e751cf2aca3b76ff6969e48fb1e4f477f4832888b32a57290109f5982a", "type": "eql", "version": 4 }, "e0dacebe-4311-4d50-9387-b17e89c2e7fd": { - "min_stack_version": "7.16", "rule_name": "Whitespace Padding in Process Command Line", "sha256": "2aa8bb1cd50151cb0c68f9f9aaca7894681a205d965326b65eb8c1163e176257", "type": "eql", "version": 100 }, "e0f36de1-0342-453d-95a9-a068b257b053": { - "min_stack_version": "8.3", "rule_name": "Azure Event Hub Deletion", "sha256": "a2ecaf7e5ffeba64be9df560b78b9046a7dd8803d4d3e1f50854456965291dc7", "type": "query", "version": 102 }, "e12c0318-99b1-44f2-830c-3a38a43207ca": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS Route Table Created", - "sha256": "7bc47ab3f6abaaa3ab9719f0b5584578bde76d5e46e45c4f5930b55727fde835", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS Route Table Created", "sha256": "862abfa5c379d1e32f01d1c6199755c9de4bfcd13eaf1b23d019ae40ccde21c5", "type": "query", "version": 207 }, "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS RDS Cluster Creation", - "sha256": "1028d9d315c9b25af760a4d81b28115f4bc2ea1653f08740433bc44c0c49ecbf", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS RDS Cluster Creation", "sha256": "3971b630a9892ede07636cbd4aafedb6e0a66eb9a58e95bca937fd3d473486f6", "type": "query", "version": 206 }, "e19e64ee-130e-4c07-961f-8a339f0b8362": { - "min_stack_version": "8.3", "rule_name": "Connection to External Network via Telnet", "sha256": "aca0eb0c2cc280c1e11e840c13fbdf1d68c10d4842912b4d5f2c41f27ca376c5", "type": "eql", "version": 107 }, "e1db8899-97c1-4851-8993-3a3265353601": { - "min_stack_version": "8.9", "rule_name": "Potential Data Exfiltration Activity to an Unusual ISO Code", "sha256": "2dfa5553eab948bb3ad46437fda2847c3d2d98e63aa80c10f1b8a179eb44b650", "type": "machine_learning", "version": 3 }, "e2258f48-ba75-4248-951b-7c885edf18c2": { - "min_stack_version": "8.3", "rule_name": "Suspicious Mining Process Creation Event", "sha256": "e91422636467edf05da152b15ace87fb9f957102bab6ef22a1f413c45c076dc9", "type": "eql", "version": 6 }, "e26aed74-c816-40d3-a810-48d6fbd8b2fd": { - "min_stack_version": "8.3", "rule_name": "Spike in Successful Logon Events from a Source IP", "sha256": "433470a845fb7c68a2d975d0c852935ae2f613397f228fcbc0508dab28be90ff", "type": "machine_learning", @@ -8752,7 +6567,7 @@ "e26f042e-c590-4e82-8e05-41e81bd822ad": { "min_stack_version": "8.12", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 211, "rule_name": "Suspicious .NET Reflection via PowerShell", "sha256": "a85be96f9a8185ce72aee9271706a90a0667bc9dc8340ec37a74fc874c3ba6d9", @@ -8773,95 +6588,66 @@ "version": 2 }, "e2a67480-3b79-403d-96e3-fdd2992c50ef": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "AWS Management Console Root Login", - "sha256": "b9dd3e3ff50478a62eb78a03bd6f15b075d2c8b5205f36afb4bb4c84ec2aea89", - "type": "query", - "version": 108 - } - }, "rule_name": "AWS Management Console Root Login", "sha256": "e92692113a5e54b3929b90730de141b010fbf55f4a52a1d77e548a78cc361ecd", "type": "query", "version": 209 }, "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444": { - "min_stack_version": "8.3", "rule_name": "System Network Connections Discovery", "sha256": "e18cba651376cfe6e9941e9849b0b35efb04d877fd885ad2d8e410d9690633d1", "type": "eql", "version": 3 }, "e2e0537d-7d8f-4910-a11d-559bcf61295a": { - "min_stack_version": "8.3", "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", "sha256": "3e63bc85075d9b743e6bf54268defc21c112e95ddb806edfb8a78a3ab78903bc", "type": "eql", "version": 7 }, "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": { - "min_stack_version": "8.3", "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", "sha256": "bee7840c66166d2669fe2c9007db541d327d9ea4a3fdfda0b9c233e216e4a37d", "type": "eql", "version": 111 }, "e2fb5b18-e33c-4270-851e-c3d675c9afcd": { - "min_stack_version": "8.3", "rule_name": "GCP IAM Role Deletion", "sha256": "81da5ac170cebd66bcbf89e17268d9b7d3559955c522f1623d651961f6419cbe", "type": "query", "version": 104 }, "e3343ab9-4245-4715-b344-e11c56b0a47f": { - "min_stack_version": "8.3", "rule_name": "Process Activity via Compiled HTML File", "sha256": "6cef2e899c6b4e9645a167a889392bdc93d93b0cdbefafa881495069c49f284e", "type": "eql", "version": 110 }, "e3c27562-709a-42bd-82f2-3ed926cced19": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS Route53 private hosted zone associated with a VPC", - "sha256": "dd9a314d7acf050b51fec079eb2ff4d0667d2954a8fe4eee7a86081d7971db12", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS Route53 private hosted zone associated with a VPC", "sha256": "7ffafc6db354cba90fcf1ace4d763e22cb051ba2f8ad28c7e9f2cd89ef903525", "type": "query", "version": 206 }, "e3c5d5cb-41d5-4206-805c-f30561eae3ac": { - "min_stack_version": "8.3", "rule_name": "Ransomware - Prevented - Elastic Endgame", "sha256": "b7d178b2a838a3cb100c12763f21969b20233d489823c43d10e756e079284462", "type": "query", "version": 103 }, "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": { - "min_stack_version": "8.3", "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", "sha256": "888df58b2f7bdef7997e9bf98f6cefecc8e5dc094ec1c1391fbec5f03fc85d8e", "type": "eql", "version": 107 }, "e3e904b3-0a8e-4e68-86a8-977a163e21d3": { - "min_stack_version": "8.3", "rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification", "sha256": "20a809b0c9d105e502a250b3d41b6934687bf4d74fbbedd98cef83bdf6d2658b", "type": "eql", "version": 110 }, "e468f3f6-7c4c-45bb-846a-053738b3fe5d": { - "min_stack_version": "8.4", "rule_name": "First Time Seen NewCredentials Logon Process", "sha256": "9a219e929d52b9d5fd2593524c043db217318eb6f540793dae2c595418f5dc02", "type": "new_terms", @@ -8870,7 +6656,7 @@ "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 205, "rule_name": "Attempt to Modify an Okta Network Zone", "sha256": "5f65ddaac1e8431e60917074c8cb8ead43d51ca2475c63ef74c89e0b558c3456", @@ -8884,30 +6670,18 @@ "version": 206 }, "e4e31051-ee01-4307-a6ee-b21b186958f4": { - "min_stack_version": "8.3", "rule_name": "Service Creation via Local Kerberos Authentication", "sha256": "c47f1f706cc482c626dc8045250f798362338387db47fe387412408b6be3bae1", "type": "eql", "version": 105 }, "e514d8cd-ed15-4011-84e2-d15147e059f1": { - "min_stack_version": "8.3", "rule_name": "Kerberos Pre-authentication Disabled for User", "sha256": "f31d2b25f3d2f895e14eab6c7ec29719c97852d5f2f99b2fa9357b9637c2f510", "type": "query", "version": 110 }, "e555105c-ba6d-481f-82bb-9b633e7b4827": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 202, - "rule_name": "MFA Disabled for Google Workspace Organization", - "sha256": "2c13a6fc437d2115e97e6e81a6d555601f5f93d05f444b9935bf76d94877c049", - "type": "query", - "version": 104 - } - }, "rule_name": "MFA Disabled for Google Workspace Organization", "sha256": "91e053deeef1fbe832a95085ef68f2122ba06d94e64114a2d0e61cf3f1d64d6f", "type": "query", @@ -8920,14 +6694,12 @@ "version": 100 }, "e6c1a552-7776-44ad-ae0f-8746cc07773c": { - "min_stack_version": "8.3", "rule_name": "Bash Shell Profile Modification", "sha256": "bc03a7affdb0db7aca8cb74b550750403c0cc22f1f31640dabbcf506dd04b2b3", "type": "query", "version": 104 }, "e6c98d38-633d-4b3e-9387-42112cd5ac10": { - "min_stack_version": "8.3", "rule_name": "Authorization Plugin Modification", "sha256": "ef208b091fc4ad2aa8c598a1e11c2de761824f498ee049b117285c932936bb8e", "type": "query", @@ -8936,7 +6708,7 @@ "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 204, "rule_name": "Possible Okta DoS Attack", "sha256": "0068f7eda335ee0ee3e6452f9a91166dd50e098862de1791f4e6b6bd0ff4a391", @@ -8950,125 +6722,84 @@ "version": 205 }, "e6e8912f-283f-4d0d-8442-e0dcaf49944b": { - "min_stack_version": "8.3", "rule_name": "Screensaver Plist File Modified by Unexpected Process", "sha256": "226d7ec9a8d7ef8ee5497afe3c062dd60f96978b4e83c4327ab07af37b0e5b51", "type": "eql", "version": 107 }, "e7075e8d-a966-458e-a183-85cd331af255": { - "min_stack_version": "8.3", "rule_name": "Default Cobalt Strike Team Server Certificate", "sha256": "6bbe76d52fd258b99c66bbf69e3f64060fa0a3112a36cd1c55f44d03d2da9d9e", "type": "query", "version": 104 }, "e707a7be-cc52-41ac-8ab3-d34b38c20005": { - "min_stack_version": "8.3", "rule_name": "Potential Credential Access via Memory Dump File Creation", "sha256": "a39d7d4e32b2b06c056764ba041c47a02fd5e39717b5db77d6827117dc870c62", "type": "eql", "version": 3 }, "e7125cea-9fe1-42a5-9a05-b0792cf86f5a": { - "min_stack_version": "8.3", "rule_name": "Execution of Persistent Suspicious Program", "sha256": "bae068bbb951844f6a723136dec199140d6d35b62406b5deddbe6208895a7478", "type": "eql", "version": 107 }, "e72f87d0-a70e-4f8d-8443-a6407bc34643": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 104, - "rule_name": "Suspicious WMI Event Subscription Created", - "sha256": "bee333bfc8d77b96f009283d0b8dc93b5e2e38ef6b27b38b21daccf6fe50833a", - "type": "eql", - "version": 6 - } - }, "rule_name": "Suspicious WMI Event Subscription Created", "sha256": "4f033d8b97bebdd4d3f7dfb51f5465e5283d687187e643b9e5ad76f243122b20", "type": "eql", "version": 106 }, "e7357fec-6e9c-41b9-b93d-6e4fc40c7d47": { - "min_stack_version": "8.3", "rule_name": "Potential Windows Session Hijacking via CcmExec", "sha256": "0bb32a27d1f4286cf963fe0af6c21dba8716c0bc8a3b250af1d0b62993eda76a", "type": "eql", "version": 1 }, "e74d645b-fec6-431e-bf93-ca64a538e0de": { - "min_stack_version": "8.3", "rule_name": "Unusual Process For MSSQL Service Accounts", "sha256": "25ab58cb351438a03b9bae33943b1e2f27038ddab7e44da1138534c0962b40d8", "type": "eql", "version": 4 }, "e760c72b-bb1f-44f0-9f0d-37d51744ee75": { - "min_stack_version": "8.3", "rule_name": "Unusual Execution via Microsoft Common Console File", "sha256": "2d88a1a1afbd362333b27616ad60ef7198d3e854a31723b98ad96fb451d7fb35", "type": "eql", "version": 1 }, "e7cb3cfd-aaa3-4d7b-af18-23b89955062c": { - "min_stack_version": "8.3", "rule_name": "Potential Linux Credential Dumping via Unshadow", "sha256": "9f5e4df959c1865722b929f62227913e0415b091e5be48dc94f3037768b94393", "type": "eql", "version": 8 }, "e7cd5982-17c8-4959-874c-633acde7d426": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS Route Table Modified or Deleted", - "sha256": "aac5e30f0f52cc491d255e93c3f1f83cdb0547f9f20b8fe3376704aee6c6f730", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS Route Table Modified or Deleted", "sha256": "811d4c47d79d5e63a6d39a14a0e8c4c6d8bdc81b09f09705f57ce46905ea4112", "type": "query", "version": 207 }, "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { - "min_stack_version": "8.3", "rule_name": "Service Control Spawned via Script Interpreter", "sha256": "d821998e1160abb47ecede3b1c462e4239e82c189b4c1bb28462bb126a1b7765", "type": "eql", "version": 108 }, "e86da94d-e54b-4fb5-b96c-cecff87e8787": { - "min_stack_version": "8.3", "rule_name": "Installation of Security Support Provider", "sha256": "7bacfc5c36b455bd387840ed3881384dccf76c4613c11307d4d5d00b45b71f4c", "type": "eql", "version": 108 }, "e88d1fe9-b2f4-48d4-bace-a026dc745d4b": { - "min_stack_version": "8.3", "rule_name": "Host Files System Changes via Windows Subsystem for Linux", "sha256": "f650cdefd5366db74cbb8b10fcdc442ca99580255059225a70906d7069dcc006", "type": "eql", "version": 7 }, "e9001ee6-2d00-4d2f-849e-b8b1fb05234c": { - "min_stack_version": "8.6", - "previous": { - "8.4": { - "max_allowable_version": 102, - "rule_name": "Suspicious System Commands Executed by Previously Unknown Executable", - "sha256": "3a05a24c654cdb42c8718f7cf97e55b13d9be01f97cfd17a78db8f616168fa80", - "type": "new_terms", - "version": 3 - } - }, "rule_name": "Suspicious System Commands Executed by Previously Unknown Executable", "sha256": "f180246dbfb2cb7f01f796113f0a1b305d91c244c4989aef63cfc341e4431f35", "type": "new_terms", @@ -9077,7 +6808,7 @@ "e90ee3af-45fc-432e-a850-4a58cf14a457": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 206, "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", "sha256": "36586610b72fd3df43dda1d0bfca8e2b7a439cde98a6b85da439993e98b9978d", @@ -9091,44 +6822,30 @@ "version": 208 }, "e919611d-6b6f-493b-8314-7ed6ac2e413b": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS EC2 VM Export Failure", - "sha256": "f5fbdb6dd8db185f84352432e56a887048b7d1bac9936d1c3a3944b9f5ed4d31", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS EC2 VM Export Failure", "sha256": "ddfa3e022f23c8689c14e4a4abba71826f9ad576159d7e3d70ee93634965dd8c", "type": "query", "version": 206 }, "e92c99b6-c547-4bb6-b244-2f27394bc849": { - "min_stack_version": "8.9", "rule_name": "Spike in Bytes Sent to an External Device via Airdrop", "sha256": "1e89013def66c292205e6328af1471ef4e60e7476f31abb7718f73d3602c3e91", "type": "machine_learning", "version": 3 }, "e94262f2-c1e9-4d3f-a907-aeab16712e1a": { - "min_stack_version": "8.3", "rule_name": "Unusual Executable File Creation by a System Critical Process", "sha256": "039641e8c7b1e6c8242b90a66989c99c2f7e958b18bbb211f172b588af3a6f3f", "type": "eql", "version": 111 }, "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": { - "min_stack_version": "8.3", "rule_name": "Potential LSA Authentication Package Abuse", "sha256": "d0a1dc56879cb56dc2747d8b68642dcb238491d808de81350698a3876b010d1e", "type": "eql", "version": 105 }, "e9b0902b-c515-413b-b80b-a8dcebc81a66": { - "min_stack_version": "8.9", "rule_name": "Spike in Remote File Transfers", "sha256": "c2714b3ba5f14682e3de18a33b34ee32dd30f9b08a177f6d6ff9c79ced3ef5e1", "type": "machine_learning", @@ -9141,7 +6858,6 @@ "version": 100 }, "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": { - "min_stack_version": "8.3", "rule_name": "Azure Automation Webhook Created", "sha256": "064a5bf18acba039757d18c76b42acec87f1e497cf8143bc705af25765204078", "type": "query", @@ -9154,153 +6870,108 @@ "version": 100 }, "ea09ff26-3902-4c53-bb8e-24b7a5d029dd": { - "min_stack_version": "8.9", "rule_name": "Unusual Process Spawned by a Parent Process", "sha256": "d8ff4bf9daa5791d5125e828242e6da12e755fe8e6594f543661711e82994cfd", "type": "machine_learning", "version": 4 }, "ea248a02-bc47-4043-8e94-2885b19b2636": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "AWS IAM Brute Force of Assume Role Policy", - "sha256": "b067b05efba5deb9be05f4eb293d71270aec223640f2d617f1a365f86c41524c", - "type": "threshold", - "version": 109 - } - }, "rule_name": "AWS IAM Brute Force of Assume Role Policy", "sha256": "a85c08a5d1c0cadd8fa55b0fa4148eb871692edcabdc994258fd047949fc51c3", "type": "threshold", "version": 210 }, "eaa77d63-9679-4ce3-be25-3ba8b795e5fa": { - "min_stack_version": "8.3", "rule_name": "Spike in Firewall Denies", "sha256": "2b70a5f6f296ce20ca6fb54b48a52c4bb57dec8c35b7dfc9b661509716a7cc0a", "type": "machine_learning", "version": 103 }, "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c": { - "min_stack_version": "8.3", "rule_name": "Suspicious APT Package Manager Network Connection", "sha256": "e33ef40e6926a8ebb9819b992a678c5cb30b5ca0ec2564ad888d213893eec80c", "type": "eql", "version": 2 }, "eb079c62-4481-4d6e-9643-3ca499df7aaa": { - "min_stack_version": "8.3", "rule_name": "External Alerts", "sha256": "8abb5aaa7b7120ccd0f4b723b4d43ede8ef4179dfd361a78a77fb3e7501947b6", "type": "query", "version": 103 }, "eb44611f-62a8-4036-a5ef-587098be6c43": { - "min_stack_version": "8.3", "rule_name": "PowerShell Script with Webcam Video Capture Capabilities", "sha256": "492442b9a011a2f12dba2f025284191a27457dc32fa61c4cdae57c2efe1bf9ad", "type": "query", "version": 4 }, "eb610e70-f9e6-4949-82b9-f1c5bcd37c39": { - "min_stack_version": "8.3", "rule_name": "PowerShell Kerberos Ticket Request", "sha256": "1eca5c1ab4882b5bcf2dd344dafbd75a680f7fd7cb7bceb1c7c448fe80765bbb", "type": "query", "version": 111 }, "eb6a3790-d52d-11ec-8ce9-f661ea17fbce": { - "min_stack_version": "8.3", "rule_name": "Suspicious Network Connection Attempt by Root", "sha256": "7a02f3f1c3af4c212b9b07f86517b323423c7f03670c51025f5a7ea876473d5e", "type": "eql", "version": 104 }, "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": { - "min_stack_version": "8.3", "rule_name": "Potential Disabling of SELinux", "sha256": "40ab8ab43acdf3a9d7783d20ac3658086a45ff61e1871fe984d77c6a1d3984ef", "type": "eql", "version": 110 }, "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { - "min_stack_version": "8.3", "rule_name": "Mimikatz Memssp Log File Detected", "sha256": "1fe569e32abbc334bce0864e3ec5b30c47d3531f6d884186b2b40c52c0230f98", "type": "eql", "version": 109 }, "ebf1adea-ccf2-4943-8b96-7ab11ca173a5": { - "min_stack_version": "8.3", "rule_name": "IIS HTTP Logging Disabled", "sha256": "d83d663dcda70e00a6ab21131eed87f0b8c368ce720e9af6b55cc3ed301826a8", "type": "eql", "version": 110 }, "ebfe1448-7fac-4d59-acea-181bd89b1f7f": { - "min_stack_version": "8.3", "rule_name": "Process Execution from an Unusual Directory", "sha256": "8df3afe86977d9a2b2f2229f4f6d2fb5bb39898849f2d887050d754afba715a2", "type": "eql", "version": 110 }, "ec604672-bed9-43e1-8871-cf591c052550": { - "min_stack_version": "8.8", "rule_name": "File Made Executable via Chmod Inside A Container", "sha256": "20c2ee6633bad709523ecb7a36a5e666212d251d264feca7543facf2bb56ea54", "type": "eql", "version": 2 }, "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft 365 Inbox Forwarding Rule Created", - "sha256": "ccb7629ab98a47b76d488ad0234349226bd54d20ba68a72bfa6d504471d57576", - "type": "query", - "version": 106 - } - }, "rule_name": "Microsoft 365 Inbox Forwarding Rule Created", "sha256": "98615f87ce24445df876a6f771b6899cfdecbd5028d5167fb5f060c7d2cb44df", "type": "query", "version": 206 }, "ecd4857b-5bac-455e-a7c9-a88b66e56a9e": { - "min_stack_version": "8.3", "rule_name": "Executable File with Unusual Extension", "sha256": "0dbad6fbc2a61e15df204d363878baabb0a87b3aacc37a8ffc8044d8bb20d509", "type": "eql", "version": 2 }, "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS RDS Instance/Cluster Stoppage", - "sha256": "507678779aec70fd7d8e6f87c97bad4456c69b88fbf5e1ef2ede267b6c6d356b", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS RDS Instance/Cluster Stoppage", "sha256": "597f9aec8295f443a639129b9f673f0e3302a48b8ba1f7a3eab0de937bc34d58", "type": "query", "version": 206 }, "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": { - "min_stack_version": "8.3", "rule_name": "Azure Global Administrator Role Addition to PIM User", "sha256": "05eb2cfe7c6c45d6ae432cf2c83e8d0a56cb0a6c5111004de8625830d13ee06c", "type": "query", "version": 102 }, "eda499b8-a073-4e35-9733-22ec71f57f3a": { - "min_stack_version": "8.3", "rule_name": "AdFind Command Activity", "sha256": "35efc8cf7bf58aeb31117f913287b60e74e904cbdce764bcd90b1a649e6318e1", "type": "eql", @@ -9309,7 +6980,7 @@ "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 205, "rule_name": "Attempt to Deactivate an Okta Application", "sha256": "561500f4153a16fe94b06be9237be4ba8933a3192116af5ef57bdb83da24f973", @@ -9323,14 +6994,12 @@ "version": 206 }, "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { - "min_stack_version": "8.3", "rule_name": "ImageLoad via Windows Update Auto Update Client", "sha256": "6b7b9ccc19477616a522bddc2a00f166753629727474b6494a4460bfc09ec4f6", "type": "eql", "version": 112 }, "edfd5ca9-9d6c-44d9-b615-1e56b920219c": { - "min_stack_version": "8.3", "rule_name": "Linux User Account Creation", "sha256": "95cad73c0f9c90ae0aca50ad6528161624c9d694075e6761ef195da867643c08", "type": "eql", @@ -9339,7 +7008,7 @@ "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 102, "rule_name": "Okta FastPass Phishing Detection", "sha256": "ec087af423a304d3b2f85af7926ba24f67f6207424c00d258a6e350a6721c932", @@ -9353,14 +7022,12 @@ "version": 103 }, "ee5300a7-7e31-4a72-a258-250abb8b3aa1": { - "min_stack_version": "8.3", "rule_name": "Unusual Print Spooler Child Process", "sha256": "3b8d96d08eb433256b4fb0fd5206543e932d32caede2f0296b44a83ccf41868c", "type": "eql", "version": 108 }, "ee53d67a-5f0c-423c-a53c-8084ae562b5c": { - "min_stack_version": "8.3", "rule_name": "Shortcut File Written or Modified on Startup Folder", "sha256": "521aaa3ca230327e4d8a00478e8ca676b40727c00d7a32e0e76210c927f99662", "type": "eql", @@ -9373,56 +7040,48 @@ "version": 100 }, "eea82229-b002-470e-a9e1-00be38b14d32": { - "min_stack_version": "8.3", "rule_name": "Potential Privacy Control Bypass via TCCDB Modification", "sha256": "1650c91ed1f40d868155851c6a47fc4a0d7b9e3acc49ca5a3a94bf02d47454fc", "type": "eql", "version": 107 }, "ef04a476-07ec-48fc-8f3d-5e1742de76d3": { - "min_stack_version": "8.3", "rule_name": "BPF filter applied using TC", "sha256": "1c7ddc592ac0564b1dd00cf9e28b5abb2f8aab7029e47b5267efa0082a5127a2", "type": "eql", "version": 108 }, "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": { - "min_stack_version": "8.3", "rule_name": "Potential Linux Credential Dumping via Proc Filesystem", "sha256": "5fde0d101ad60721c4369e510760dbc8596c6e42f17cccdf2857b69cd04aeeb7", "type": "eql", "version": 7 }, "ef65e82c-d8b4-4895-9824-5f6bc6166804": { - "min_stack_version": "8.8", "rule_name": "Potential Container Escape via Modified notify_on_release File", "sha256": "9bda21518b9733432c642587f1e1a1beb87b1651d0d838fa1cd342d16bbace04", "type": "eql", "version": 1 }, "ef862985-3f13-4262-a686-5f357bbb9bc2": { - "min_stack_version": "8.3", "rule_name": "Whoami Process Activity", "sha256": "31ce332f330bc9a1bccdf8f56d0d422431517beafd6fd72a0263e72bf57f2202", "type": "eql", "version": 111 }, "ef8cc01c-fc49-4954-a175-98569c646740": { - "min_stack_version": "8.9", "rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port", "sha256": "9512995e5dffd053732011c13901b6e07071c98fbf12ad540b632ebf940f2c32", "type": "machine_learning", "version": 3 }, "f036953a-4615-4707-a1ca-dc53bf69dcd5": { - "min_stack_version": "8.3", "rule_name": "Unusual Child Processes of RunDLL32", "sha256": "0713731667d50b24bd145385b0d83cf8936b4173b1eb789f87e15798fb329cbe", "type": "eql", "version": 108 }, "f0493cb4-9b15-43a9-9359-68c23a7f2cf3": { - "min_stack_version": "8.3", "rule_name": "Suspicious HTML File Creation", "sha256": "a8f8624488bd94c12376e0d7098fdf1714698d2df6e877311fded9ab584a043d", "type": "eql", @@ -9431,7 +7090,7 @@ "f06414a6-f2a4-466d-8eba-10f85e8abf71": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 204, "rule_name": "Administrator Role Assigned to an Okta User", "sha256": "333aec880e8bd1653cea01f896e3df2e136839275bf1cffd71197ec4068129ba", @@ -9445,149 +7104,120 @@ "version": 205 }, "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": { - "min_stack_version": "8.3", "rule_name": "Quarantine Attrib Removed by Unsigned or Untrusted Process", "sha256": "5182f386430f01d4b91371a123d7323d6c786af55e661ca361224b7e1abaab5c", "type": "eql", "version": 108 }, "f0bc081a-2346-4744-a6a4-81514817e888": { - "min_stack_version": "8.3", "rule_name": "Azure Alert Suppression Rule Created or Modified", "sha256": "1dce5b8c0bd067b1f048753efed2565f84b6d4c289bed2adbc7a6bf3f8a89270", "type": "query", "version": 102 }, "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": { - "min_stack_version": "8.3", "rule_name": "Execution with Explicit Credentials via Scripting", "sha256": "ac32250e0d57be9cd4a514aa350f9b0b90ef286c6c75fe6f8ab0e6fc775d76cb", "type": "query", "version": 106 }, "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb": { - "min_stack_version": "8.3", "rule_name": "Potential Remote Code Execution via Web Server", "sha256": "bea6f0f6ac6a7dcc6cc8784ca4831945d99664237de3f781a9336b2a748346f7", "type": "eql", "version": 7 }, "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": { - "min_stack_version": "8.4", "rule_name": "Forwarded Google Workspace Security Alert", "sha256": "4c73b09f4b3001484895476ebe7fa98e28d4b4ade73a8bc8cae1bf26c22cf8af", "type": "query", "version": 2 }, "f243fe39-83a4-46f3-a3b6-707557a102df": { - "min_stack_version": "8.3", "rule_name": "Service Path Modification", "sha256": "f6488872c8be23ecc9a4e3339d5de39339210c77856be3d05d90c00968a721c9", "type": "eql", "version": 2 }, "f24bcae1-8980-4b30-b5dd-f851b055c9e7": { - "min_stack_version": "8.3", "rule_name": "Creation of Hidden Login Item via Apple Script", "sha256": "1d2b9d1b4fb9b805f30bc47377d70694f4ecd0704dfc2df0c47459605af6d2b3", "type": "eql", "version": 108 }, "f28e2be4-6eca-4349-bdd9-381573730c22": { - "min_stack_version": "8.3", "rule_name": "Potential OpenSSH Backdoor Logging Activity", "sha256": "b10534cda59c460de168c3b9fed3d8899465199770dd6c96f2e2d65358d3cb24", "type": "eql", "version": 109 }, "f2c7b914-eda3-40c2-96ac-d23ef91776ca": { - "min_stack_version": "8.3", "rule_name": "SIP Provider Modification", "sha256": "637b95af638d89775bd2f924af80375c6ff258c63b53785edfb3543db910cbbf", "type": "eql", "version": 107 }, "f2f46686-6f3c-4724-bd7d-24e31c70f98f": { - "min_stack_version": "8.3", "rule_name": "LSASS Memory Dump Creation", "sha256": "f75e7dbe109ab94981359e193e38bc31d50c60ac6258c2e42dd797649989a2f4", "type": "eql", "version": 109 }, "f30f3443-4fbb-4c27-ab89-c3ad49d62315": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS RDS Instance Creation", - "sha256": "1b57c3c8d9066a43e2cf1493eb351327278a05bf30471e51460fc99b3134a1c5", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS RDS Instance Creation", "sha256": "3f5bde898da930f0ca76c88c4f89512b9f7ec40d10c291fc472d909c5ef5a166", "type": "query", "version": 206 }, "f33e68a4-bd19-11ed-b02f-f661ea17fbcc": { - "min_stack_version": "8.4", "rule_name": "Google Workspace Object Copied from External Drive and Access Granted to Custom Application", "sha256": "bf31263ee7b3dd377aad879072d95f3cfa5f487f3db9f91e6d47822700c554c9", "type": "eql", "version": 4 }, "f3403393-1fd9-4686-8f6e-596c58bc00b4": { - "min_stack_version": "8.9", "rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain", "sha256": "2c43c3f3a3eab3066a67fa00b1ecf370bbb5c1a7cc41898dabf2a4553b1630ea", "type": "query", "version": 3 }, "f3475224-b179-4f78-8877-c2bd64c26b88": { - "min_stack_version": "8.3", "rule_name": "WMI Incoming Lateral Movement", "sha256": "109358ad6d085e83bf9097861e3961e3e5afbbbf94504500826ad12ea1e6cf0e", "type": "eql", "version": 110 }, "f37f3054-d40b-49ac-aa9b-a786c74c58b8": { - "min_stack_version": "8.3", "rule_name": "Sudo Heap-Based Buffer Overflow Attempt", "sha256": "631c70d2bd6a2e4b8162193c9ccb972b673d291a842d7006e0a14643ce29341c", "type": "threshold", "version": 104 }, "f3818c85-2207-4b51-8a28-d70fb156ee87": { - "min_stack_version": "8.3", "rule_name": "Suspicious Network Connection via systemd", "sha256": "52931e3500fd41b92dd905637912dc28861b532e3bf11d6ab79f243237f9573c", "type": "eql", "version": 2 }, "f3e22c8b-ea47-45d1-b502-b57b6de950b3": { - "min_stack_version": "8.5", "rule_name": "Threat Intel URL Indicator Match", "sha256": "2e45aadc96febb79204cc0182a5cda5f7b1be5634e47e7c18fc92b429f529471", "type": "threat_match", "version": 6 }, "f41296b4-9975-44d6-9486-514c6f635b2d": { - "min_stack_version": "8.6", "rule_name": "Potential curl CVE-2023-38545 Exploitation", "sha256": "422469c042fbbd783e6f8aca78c507ba139de7e0aa3e364406f12f16db6db808", "type": "eql", "version": 5 }, "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": { - "min_stack_version": "8.3", "rule_name": "Persistence via Microsoft Office AddIns", "sha256": "0a7bcf99db3af18ca1936e60cad4e3c6dcc4b560f8173850784204f8e4a631cc", "type": "eql", "version": 108 }, "f494c678-3c33-43aa-b169-bb3d5198c41d": { - "min_stack_version": "8.3", "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", "sha256": "3d559e86203735f531cbbe7a26f5e361236760068e41b0b421f0f5d59a3c5765", "type": "query", @@ -9607,135 +7237,108 @@ "version": 100 }, "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73": { - "min_stack_version": "8.3", "rule_name": "Suspicious Data Encryption via OpenSSL Utility", "sha256": "bdf4940185721379f94bfd3a1c76f556b73371c2533f71f9d815eb09cebf35bc", "type": "eql", "version": 6 }, "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { - "min_stack_version": "8.3", "rule_name": "Windows Script Executing PowerShell", "sha256": "708503003bcee46e11babb11f8aa31370e2b00f8819ad6b533d88ae777974577", "type": "eql", "version": 111 }, "f5488ac1-099e-4008-a6cb-fb638a0f0828": { - "min_stack_version": "8.8", "rule_name": "SSH Connection Established Inside A Running Container", "sha256": "acfdb1c9d79a1ed5b532921e9010c1184da0de54b516f1c0505265cb48c135b7", "type": "eql", "version": 2 }, "f580bf0a-2d23-43bb-b8e1-17548bb947ec": { - "min_stack_version": "8.3", "rule_name": "Rare SMB Connection to the Internet", "sha256": "a63046d792830722836c024689a5b5e9e1f3ac006e80e1445c1efa17bfbc98e5", "type": "new_terms", "version": 3 }, "f5861570-e39a-4b8a-9259-abd39f84cb97": { - "min_stack_version": "8.3", "rule_name": "WRITEDAC Access on Active Directory Object", "sha256": "e1128eff83337cf8df9523f584e2a5859c85e7d579d9655bb532de4714bd4124", "type": "query", "version": 4 }, "f59668de-caa0-4b84-94c1-3a1549e1e798": { - "min_stack_version": "8.3", "rule_name": "WMIC Remote Command", "sha256": "49fe04b88dc0dc6ee9776c88113935db33ecbc3c955ddb4b201acb6867022d7f", "type": "eql", "version": 4 }, "f5c005d3-4e17-48b0-9cd7-444d48857f97": { - "min_stack_version": "8.3", "rule_name": "Setcap setuid/setgid Capability Set", "sha256": "bec5a046d8ac67ff161d518d2ccf53b9138179dfc67759ad5f9078fdc14810a6", "type": "eql", "version": 5 }, "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": { - "min_stack_version": "8.9", "rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process", "sha256": "d6db5d4e54233628ba05c96ce487387f74b8d57d423cae36a1cfa4602ef0c312", "type": "machine_learning", "version": 4 }, "f5fb4598-4f10-11ed-bdc3-0242ac120002": { - "min_stack_version": "8.3", "rule_name": "Masquerading Space After Filename", "sha256": "0bdfb6f39afe789ae9447ea9f33938a24d746c1017ac0646c9f1776272882e37", "type": "eql", "version": 6 }, "f638a66d-3bbf-46b1-a52c-ef6f39fb6caf": { - "min_stack_version": "8.3", "rule_name": "Account or Group Discovery via Built-In Tools", "sha256": "05cfd191e4f07208be892f795fe81b8a10b3b5b50a3a9ab8f03a0c175ef81135", "type": "eql", "version": 3 }, "f63c8e3c-d396-404f-b2ea-0379d3942d73": { - "min_stack_version": "8.3", "rule_name": "Windows Firewall Disabled via PowerShell", "sha256": "b677759be5d31d2da13e1a1902fc4d9047723a793205cdaf229d6fe6c9ac5088", "type": "eql", "version": 110 }, "f675872f-6d85-40a3-b502-c0d2ef101e92": { - "min_stack_version": "8.3", "rule_name": "Delete Volume USN Journal with Fsutil", "sha256": "6b1d419bf9aa6949ee92ded6a11fd322e88da4c01130617ee0d215449c773841", "type": "eql", "version": 109 }, "f683dcdf-a018-4801-b066-193d4ae6c8e5": { - "min_stack_version": "8.3", "rule_name": "SoftwareUpdate Preferences Modification", "sha256": "23425b32c0a7615768bc200a5112ac8cddf8adf9387d1c01638d9da18edc500b", "type": "query", "version": 106 }, "f75f65cf-ed04-48df-a7ff-b02a8bfe636e": { - "min_stack_version": "8.3", "rule_name": "System Hosts File Access", "sha256": "075b644099d4072660dea321c36b39eba6a6dd8877852416af7f429753d0e571", "type": "eql", "version": 3 }, "f766ffaf-9568-4909-b734-75d19b35cbf4": { - "min_stack_version": "8.3", "rule_name": "Azure Service Principal Credentials Added", "sha256": "93799b4dd788cc7cc2a439cc2a75f129676cafe866903105bfe880aa4a466103", "type": "query", "version": 102 }, "f772ec8a-e182-483c-91d2-72058f76a44c": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "AWS CloudWatch Alarm Deletion", - "sha256": "c61b6a72d80df0fd58791ed1d3826f037ed108533807e6817a707d013f73e4bd", - "type": "query", - "version": 108 - } - }, "rule_name": "AWS CloudWatch Alarm Deletion", "sha256": "9fd21ffae7e6f9944f5abeb3ea4da9d2397f7f3fd140a1aa45f86cdcfe7a92bc", "type": "query", "version": 209 }, "f7769104-e8f9-4931-94a2-68fc04eadec3": { - "min_stack_version": "8.8", "rule_name": "SSH Authorized Keys File Modified Inside a Container", "sha256": "d08ada3a6198777da68c1ad854b2c989ea3c25a2cd89c68741c538de9a433237", "type": "eql", "version": 2 }, "f7c4dc5a-a58d-491d-9f14-9b66507121c0": { - "min_stack_version": "8.3", "rule_name": "Persistent Scripts in the Startup Directory", "sha256": "a1bc8b73c4533f942aac0721b6a1345272ca6770fde9d130e8f62f115eb42177", "type": "eql", @@ -9749,56 +7352,48 @@ "version": 2 }, "f81ee52c-297e-46d9-9205-07e66931df26": { - "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", "sha256": "7f50567407f055ba5fe3ae2e6d27cdcffac7fd9f9eb3dedda702f6f9a3fb15ec", "type": "eql", "version": 109 }, "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": { - "min_stack_version": "8.3", "rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", "sha256": "7041f9420e055d9a272d6c1c7c3ab02fa9843c80df047af4545b3a625f70fa87", "type": "query", "version": 106 }, "f874315d-5188-4b4a-8521-d1c73093a7e4": { - "min_stack_version": "8.3", "rule_name": "Modification of AmsiEnable Registry Key", "sha256": "78279bb6af6824e60ded36c81c6ef322b9ccaeb26c92549abc2921bf4227941b", "type": "eql", "version": 110 }, "f94e898e-94f1-4545-8923-03e4b2866211": { - "min_stack_version": "8.8", "rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User", "sha256": "3e68a069ea98921ba60e3b258f21b0a94dc7d42b38ee50c7332daad964e6b5d0", "type": "new_terms", "version": 1 }, "f9590f47-6bd5-4a49-bd49-a2f886476fb9": { - "min_stack_version": "8.3", "rule_name": "Unusual Linux Network Configuration Discovery", "sha256": "4dd687fdbb673c91ffcda22bc2630d7ea3e59cd3af2a796d57bd7077684f6042", "type": "machine_learning", "version": 104 }, "f95972d3-c23b-463b-89a8-796b3f369b49": { - "min_stack_version": "8.3", "rule_name": "Ingress Transfer via Windows BITS", "sha256": "5952fcaf652a5286441fc15039faeb8970ad18ef5832358bbc5385c6e09ed734", "type": "eql", "version": 7 }, "f97504ac-1053-498f-aeaa-c6d01e76b379": { - "min_stack_version": "8.3", "rule_name": "Browser Extension Install", "sha256": "8d12e1186966462c8fa942c5ea6e8bb556922c22f3a8426371112487df44ca7a", "type": "eql", "version": 2 }, "f9790abf-bd0c-45f9-8b5f-d0b74015e029": { - "min_stack_version": "8.3", "rule_name": "Privileged Account Brute Force", "sha256": "6b7871e9961be78c2d06f1cb08a639f6b4d3dcb022d16261b56fa3472f8f7d70", "type": "eql", @@ -9807,7 +7402,7 @@ "f994964f-6fce-4d75-8e79-e16ccc412588": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 204, "rule_name": "Suspicious Activity Reported by Okta User", "sha256": "f35146f9e2f6aef85cb21013ab2bc3039a0a449e1bf4ed3322496b0dbc449e06", @@ -9821,65 +7416,48 @@ "version": 205 }, "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { - "min_stack_version": "8.3", "rule_name": "Remote File Copy to a Hidden Share", "sha256": "3a766093b0d4f34997e59583bef56fb42b94ebe8b4d5d167f6f5123519f92525", "type": "eql", "version": 109 }, "fa210b61-b627-4e5e-86f4-17e8270656ab": { - "min_stack_version": "8.3", "rule_name": "Potential External Linux SSH Brute Force Detected", "sha256": "6dda8a2bc03a2f1abf5953add4cec3b8260ed538e2600de67de2100cad5ddcda", "type": "eql", "version": 7 }, "fa3a59dc-33c3-43bf-80a9-e8437a922c7f": { - "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Suspicious Binary", "sha256": "9be49e4bfd023d805ed674227d4aa1c27340b638a40b63092a2d82f22f29d52c", "type": "eql", "version": 7 }, "fa488440-04cc-41d7-9279-539387bf2a17": { - "min_stack_version": "8.3", "rule_name": "Suspicious Antimalware Scan Interface DLL", "sha256": "edd75807f5ee2bac491abccd490d597eb1ee40098cfeac22e328318c76943642", "type": "eql", "version": 9 }, "fac52c69-2646-4e79-89c0-fd7653461010": { - "min_stack_version": "8.3", "rule_name": "Potential Disabling of AppArmor", "sha256": "e1fc21035bd0018c82e188c8ebe6241aa878a214edaf3895b806621f5d82d2e3", "type": "eql", "version": 6 }, "fb01d790-9f74-4e76-97dd-b4b0f7bf6435": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 101, - "rule_name": "Potential Masquerading as System32 DLL", - "sha256": "44de9f686412f5ba599fbbf3c20d3d9a0e941c644469a473712133ff1293bf6d", - "type": "eql", - "version": 2 - } - }, "rule_name": "Potential Masquerading as System32 DLL", "sha256": "1af8edb01a1cfb710c926f5d006909a5e7139b1a95763ed5fbc88147f1eab9bc", "type": "eql", "version": 104 }, "fb02b8d3-71ee-4af1-bacd-215d23f17efa": { - "min_stack_version": "8.3", "rule_name": "Network Connection via Registration Utility", "sha256": "cb733e3ad55b691ce6c736d0ab0c7b2f050a61f7c333533ad68e45882396c78d", "type": "eql", "version": 108 }, "fb0afac5-bbd6-49b0-b4f8-44e5381e1587": { - "min_stack_version": "8.8", "rule_name": "High Number of Cloned GitHub Repos From PAT", "sha256": "3fcf7a11e62e1413f109707eddf5ca8210aa4788b88623b7f1a905fb84193234", "type": "threshold", @@ -9892,37 +7470,24 @@ "version": 100 }, "fbd44836-0d69-4004-a0b4-03c20370c435": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS Configuration Recorder Stopped", - "sha256": "624fbf2987e46d010e6f19338b9a13acbd0fc5afb7c2704f7f5d076d82b9ced4", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS Configuration Recorder Stopped", "sha256": "c7844572d3cc0d0be4f3674e5a404de4a1b409abe2c02b40ca56300b06425004", "type": "query", "version": 206 }, "fc7c0fa4-8f03-4b3e-8336-c5feab0be022": { - "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", "sha256": "66652b44a53ed252944d30e221056e1a86dd85654176778bffc526603112d74e", "type": "eql", "version": 109 }, "fc909baa-fb34-4c46-9691-be276ef4234c": { - "min_stack_version": "8.8", "rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)", "sha256": "b8f1378c21d3e35e4db3d9cde9f1583494304e86dc8dbb9a39468206794f91bf", "type": "new_terms", "version": 1 }, "fd01b949-81be-46d5-bcf8-284395d5f56d": { - "min_stack_version": "8.3", "rule_name": "GitHub App Deleted", "sha256": "fd7912580b3ee17ae242b79e0c474ed025239a8690cf03c7095cfb0e32458960", "type": "eql", @@ -9935,151 +7500,114 @@ "version": 100 }, "fd4a992d-6130-4802-9ff8-829b89ae801f": { - "min_stack_version": "8.3", "rule_name": "Potential Application Shimming via Sdbinst", "sha256": "c6e0f3ed2de57cd525aed211c660fafb3d244519f29423756b1e01f95a1f7469", "type": "eql", "version": 110 }, "fd70c98a-c410-42dc-a2e3-761c71848acf": { - "min_stack_version": "8.3", "rule_name": "Suspicious CertUtil Commands", "sha256": "1eefd434526b2d048a615ba540bf83da7ee5150eae84ff517f5de3e7668c964b", "type": "eql", "version": 108 }, "fd7a6052-58fa-4397-93c3-4795249ccfa2": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 206, - "rule_name": "Svchost spawning Cmd", - "sha256": "2be5bf0d0a6fe7332e43fa29c1f0701bd1ddd82b98458eb81fbd031b4190ff04", - "type": "eql", - "version": 107 - } - }, "rule_name": "Svchost spawning Cmd", "sha256": "6d152e1d87343af4204868f6661565208bc41bc7fa3b54d2431de77ade274f91", "type": "new_terms", "version": 212 }, "fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": { - "min_stack_version": "8.3", "rule_name": "Image Loaded with Invalid Signature", "sha256": "57f89690d7c597efa662064cafabb2dc9dbb9836e554784d682f094d14e69c2d", "type": "eql", "version": 2 }, "fda1d332-5e08-4f27-8a9b-8c802e3292a6": { - "min_stack_version": "8.3", "rule_name": "System Binary Copied and/or Moved to Suspicious Directory", "sha256": "64a298cfd46dd919d8d6d349126b6a4a90347cf9eb7a23661803b528c1bd2828", "type": "eql", "version": 7 }, "fddff193-48a3-484d-8d35-90bb3d323a56": { - "min_stack_version": "8.3", "rule_name": "PowerShell Kerberos Ticket Dump", "sha256": "1ccbc020df7ccd578a04c6a962cba1a9eb01217fe0325d1ebb52cfcae454276e", "type": "query", "version": 4 }, "fe25d5bc-01fa-494a-95ff-535c29cc4c96": { - "min_stack_version": "8.3", "rule_name": "PowerShell Script with Password Policy Discovery Capabilities", "sha256": "549dac6c269368c82ba41a9b89a211dab398c0448459487fd6c8c7d2b19c4cf9", "type": "query", "version": 5 }, "fe794edd-487f-4a90-b285-3ee54f2af2d3": { - "min_stack_version": "8.3", "rule_name": "Microsoft Windows Defender Tampering", "sha256": "1049a012554fe790510c642962136afe7809f3cb6743d41c94d9064cb5cd0275", "type": "eql", "version": 110 }, "feafdc51-c575-4ed2-89dd-8e20badc2d6c": { - "min_stack_version": "8.3", "rule_name": "Potential Masquerading as Business App Installer", "sha256": "6daf457d7f6fb492b6a132e9f2ef7980cedfe5de8d41148a55b6265379ba80f5", "type": "eql", "version": 4 }, "fec7ccb7-6ed9-4f98-93ab-d6b366b063a0": { - "min_stack_version": "8.3", "rule_name": "Execution via MS VisualStudio Pre/Post Build Events", "sha256": "f4da580149ea42f56cb5dde277432f33760266a6ae02877f5c9c71a77517fa87", "type": "eql", "version": 2 }, "feeed87c-5e95-4339-aef1-47fd79bcfbe3": { - "min_stack_version": "8.3", "rule_name": "MS Office Macro Security Registry Modifications", "sha256": "0cb2724deeff775fe087f8fc28747011973bfa19b4924546d551ae231cf102e2", "type": "eql", "version": 107 }, "ff013cb4-274d-434a-96bb-fe15ddd3ae92": { - "min_stack_version": "8.3", "rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", "sha256": "be298496f5dc80a824431ca74dd636b027fd4a95e5b4cae739b13de1c3dfe055", "type": "query", "version": 103 }, "ff0d807d-869b-4a0d-a493-52bc46d2f1b1": { - "min_stack_version": "8.9", "rule_name": "Potential DGA Activity", "sha256": "f1777c34722961e6332a58230876ae5519c4fc7e7a09d1450eb0038aeabe2640", "type": "machine_learning", "version": 3 }, "ff10d4d8-fea7-422d-afb1-e5a2702369a9": { - "min_stack_version": "8.6", "rule_name": "Cron Job Created or Changed by Previously Unknown Process", "sha256": "8d0088142351af95023ec0cbec030e26da4de32891f90802ece09174e3446293", "type": "new_terms", "version": 9 }, "ff4599cb-409f-4910-a239-52e4e6f532ff": { - "min_stack_version": "8.7", "rule_name": "LSASS Process Access via Windows API", "sha256": "45523e08c1b08b3aeb6e316fbfd73c257194c643b9c2d30533a4c05de668ca18", "type": "eql", "version": 7 }, "ff4dd44a-0ac6-44c4-8609-3f81bc820f02": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft 365 Exchange Transport Rule Creation", - "sha256": "e247dbb68f81f5c55155bea1dd2a757717bdc740b8259a933165e5a612d3cdb7", - "type": "query", - "version": 106 - } - }, "rule_name": "Microsoft 365 Exchange Transport Rule Creation", "sha256": "24df1fab9f47005a3dcf144bdd7993c237e1da4de8b6ed8ee44d4513417e0f88", "type": "query", "version": 206 }, "ff6cf8b9-b76c-4cc1-ac1b-4935164d1029": { - "min_stack_version": "8.3", "rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory", "sha256": "b84b07ea9bb5fca4cc1522b6f29f121b0a4dc4e0b59d3c48a6b7a2cab83f18bb", "type": "eql", "version": 1 }, "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": { - "min_stack_version": "8.3", "rule_name": "GCP Firewall Rule Deletion", "sha256": "6ea6272c4b6fd3f4e7e5dfdd1e521af24e89ac9633ee8ee964f52fa09e28d068", "type": "query", "version": 104 }, "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": { - "min_stack_version": "8.3", "rule_name": "Potential Sudo Token Manipulation via Process Injection", "sha256": "a7acb15e762a822b94eadf4a2caebe464a6f3cf2f67bfbcebcacba6c928d5366", "type": "eql", diff --git a/docs/versioning.md b/docs/versioning.md new file mode 100644 index 000000000..120c88b70 --- /dev/null +++ b/docs/versioning.md @@ -0,0 +1,26 @@ +# Supported Versions and Releases + +This document provides detailed information about the different versions that are supported and released for prebuilt detection rules. + +## Current Version + +The current version of prebuilt detection rules is `v8.14`. + +## Previous Versions Released + +The following version(s) are released along with the current version. + +- `v8.13` +- `v8.12` +- `v8.11` + +### Previous Versions Maintained + +The following version(s) are maintained along with the current version. + +- `v8.10` +- `v8.9` + +## End of Life Policy + +Our policy is to support and provide public releases for `Current`, `Current-1`, `Current-2`, `Current-3` versions. We maintain and do not release `Current-4` and `Current-5` versions. diff --git a/rules/apm/apm_403_response_to_a_post.toml b/rules/apm/apm_403_response_to_a_post.toml index 28bea375c..d8010b71a 100644 --- a/rules/apm/apm_403_response_to_a_post.toml +++ b/rules/apm/apm_403_response_to_a_post.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["apm"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/apm/apm_405_response_method_not_allowed.toml b/rules/apm/apm_405_response_method_not_allowed.toml index 4f3b957f2..bedc96ade 100644 --- a/rules/apm/apm_405_response_method_not_allowed.toml +++ b/rules/apm/apm_405_response_method_not_allowed.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["apm"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/apm/apm_sqlmap_user_agent.toml b/rules/apm/apm_sqlmap_user_agent.toml index b147173d8..c8ba5b286 100644 --- a/rules/apm/apm_sqlmap_user_agent.toml +++ b/rules/apm/apm_sqlmap_user_agent.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["apm"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml b/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml index aa5803afe..d8ccf625b 100644 --- a/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml +++ b/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml @@ -2,15 +2,13 @@ creation_date = "2023/06/19" integration = ["endpoint", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/01/30" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt -to deliver phishing payloads via a trusted webservice. +Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt to deliver phishing +payloads via a trusted webservice. """ false_positives = [ "Approved third-party applications that use Google Drive download URLs.", @@ -25,7 +23,14 @@ references = ["https://intelligence.abnormalsecurity.com/blog/google-drive-matan risk_score = 47 rule_id = "a8afdce2-0ec1-11ee-b843-f661ea17fbcd" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Command and Control", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/command_and_control_non_standard_ssh_port.toml b/rules/cross-platform/command_and_control_non_standard_ssh_port.toml index b863a6bf6..26b3ddbf1 100644 --- a/rules/cross-platform/command_and_control_non_standard_ssh_port.toml +++ b/rules/cross-platform/command_and_control_non_standard_ssh_port.toml @@ -2,9 +2,7 @@ creation_date = "2022/10/18" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/09/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -30,13 +28,14 @@ references = ["https://attack.mitre.org/techniques/T1571/"] risk_score = 21 rule_id = "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9" severity = "low" -tags = ["Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "OS: macOS", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "OS: macOS", + "Data Source: Elastic Defend", +] type = "eql" query = ''' @@ -51,15 +50,17 @@ sequence by process.entity_id with maxspan=1m ] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1571" name = "Non-Standard Port" reference = "https://attack.mitre.org/techniques/T1571/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml index b9179554e..9dbe6ea18 100644 --- a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml +++ b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/21" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -37,7 +35,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml index be6661803..0db7fbdae 100644 --- a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml +++ b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml @@ -1,15 +1,14 @@ [metadata] creation_date = "2021/07/14" maturity = "production" -updated_date = "2023/06/22" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = """Detects events that have a mismatch on the expected event agent ID. The status "agent_id_mismatch" -occurs when the expected agent ID associated with the API key does not match the actual agent ID in an event. This could -indicate attempts to spoof events in order to masquerade actual activity to evade detection. +description = """ +Detects events that have a mismatch on the expected event agent ID. The status "agent_id_mismatch" occurs when the +expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate +attempts to spoof events in order to masquerade actual activity to evade detection. """ false_positives = [ """ diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml index 4003974f4..6019f522c 100644 --- a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml +++ b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml @@ -1,15 +1,14 @@ [metadata] creation_date = "2021/07/14" maturity = "production" -updated_date = "2023/06/22" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = """Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent -being taken over and used to inject illegitimate documents into an instance as an attempt to spoof events in order to -masquerade actual activity to evade detection. +description = """ +Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent being taken over and +used to inject illegitimate documents into an instance as an attempt to spoof events in order to masquerade actual +activity to evade detection. """ false_positives = [ """ @@ -47,11 +46,11 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.threshold] field = ["agent.id"] value = 2 - [[rule.threshold.cardinality]] field = "host.id" value = 2 + + diff --git a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml index 72dfb5e4c..c567ad89f 100644 --- a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml +++ b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -28,7 +26,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml index f1cc64599..8a55874a9 100644 --- a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml +++ b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/04" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -29,15 +27,15 @@ For more details on adding a custom ingest pipeline refer - https://www.elastic. """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" @@ -56,20 +54,22 @@ process where event.action in ("exec", "exec_event", "executed", "process_starte ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" - [[rule.threat.technique.subtechnique]] id = "T1070.003" name = "Clear Command History" reference = "https://attack.mitre.org/techniques/T1070/003/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml index 3436a467e..50eac1fc7 100644 --- a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml +++ b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2022/05/23" -maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/19" integration = ["endpoint"] +maturity = "production" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -30,7 +28,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml b/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml index 2b5f675a6..37fb73fe7 100644 --- a/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml +++ b/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml @@ -2,9 +2,7 @@ creation_date = "2022/10/18" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -34,7 +32,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/defense_evasion_timestomp_touch.toml b/rules/cross-platform/defense_evasion_timestomp_touch.toml index baed2ce5d..36d4a8ca9 100644 --- a/rules/cross-platform/defense_evasion_timestomp_touch.toml +++ b/rules/cross-platform/defense_evasion_timestomp_touch.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/12/18" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -30,13 +28,13 @@ For more details on adding a custom ingest pipeline refer - https://www.elastic. """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/discovery_security_software_grep.toml b/rules/cross-platform/discovery_security_software_grep.toml index 6960ab9e5..f22fae9c6 100644 --- a/rules/cross-platform/discovery_security_software_grep.toml +++ b/rules/cross-platform/discovery_security_software_grep.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/20" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/12/18" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -59,14 +57,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", - "OS: macOS", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -122,20 +121,22 @@ process.name : "grep" and user.id != "0" and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" - [[rule.threat.technique.subtechnique]] id = "T1518.001" name = "Security Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/001/" + + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml index e0181030a..2ef727a4d 100644 --- a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml +++ b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml @@ -2,9 +2,7 @@ creation_date = "2021/09/29" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -36,7 +34,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml b/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml index f8a9ba363..f97739824 100644 --- a/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml +++ b/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/12" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -18,7 +16,14 @@ references = ["https://github.com/neoneggplant/EggShell"] risk_score = 73 rule_id = "41824afb-d68c-4d0e-bfee-474dac1fa56e" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/cross-platform/execution_revershell_via_shell_cmd.toml b/rules/cross-platform/execution_revershell_via_shell_cmd.toml index b605d9064..c872f64da 100644 --- a/rules/cross-platform/execution_revershell_via_shell_cmd.toml +++ b/rules/cross-platform/execution_revershell_via_shell_cmd.toml @@ -2,9 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -62,14 +60,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -86,15 +85,17 @@ process where event.type in ("start", "process_started") and not process.parent.command_line : "runc init" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/cross-platform/execution_suspicious_jar_child_process.toml b/rules/cross-platform/execution_suspicious_jar_child_process.toml index 788197362..33a0253ee 100644 --- a/rules/cross-platform/execution_suspicious_jar_child_process.toml +++ b/rules/cross-platform/execution_suspicious_jar_child_process.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/02/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -64,15 +62,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Use Case: Vulnerability", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" @@ -86,19 +85,20 @@ event.category:process and event.type:("start" or "process_started") and process ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -107,7 +107,8 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.command_line"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml b/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml index bd2f01694..877e4ced8 100644 --- a/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml +++ b/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml @@ -2,9 +2,7 @@ creation_date = "2021/12/10" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -28,7 +26,15 @@ references = [ risk_score = 73 rule_id = "c3f5e1d8-910e-43b4-8d44-d748e498ca86" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Use Case: Vulnerability", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", +] type = "eql" query = ''' diff --git a/rules/cross-platform/guided_onboarding_sample_rule.toml b/rules/cross-platform/guided_onboarding_sample_rule.toml index cbcbb2dc7..5bbe240e1 100644 --- a/rules/cross-platform/guided_onboarding_sample_rule.toml +++ b/rules/cross-platform/guided_onboarding_sample_rule.toml @@ -1,9 +1,7 @@ [metadata] creation_date = "2022/09/22" maturity = "production" -min_stack_comments = "Guided Onboarding will be available in Elastic 8.6+" -min_stack_version = "8.7.0" -updated_date = "2024/03/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/impact_hosts_file_modified.toml b/rules/cross-platform/impact_hosts_file_modified.toml index 56ebdb5c7..0b5d652fd 100644 --- a/rules/cross-platform/impact_hosts_file_modified.toml +++ b/rules/cross-platform/impact_hosts_file_modified.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/07" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -64,7 +62,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timeline_id = "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c" timeline_title = "Comprehensive File Timeline" timestamp_override = "event.ingested" @@ -91,20 +98,22 @@ any where ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1565" name = "Data Manipulation" reference = "https://attack.mitre.org/techniques/T1565/" - [[rule.threat.technique.subtechnique]] id = "T1565.001" name = "Stored Data Manipulation" reference = "https://attack.mitre.org/techniques/T1565/001/" + + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml index 1287e9e55..c335de8be 100644 --- a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml +++ b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml @@ -1,9 +1,7 @@ [metadata] creation_date = "2020/09/14" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -28,11 +26,7 @@ setup = """## Setup The Zoom Filebeat module or similarly structured data is required to be compatible with this rule.""" severity = "medium" -tags = [ - "Data Source: Zoom", - "Use Case: Configuration Audit", - "Tactic: Initial Access" -] +tags = ["Data Source: Zoom", "Use Case: Configuration Audit", "Tactic: Initial Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/cross-platform/multiple_alerts_different_tactics_host.toml b/rules/cross-platform/multiple_alerts_different_tactics_host.toml index 67ee0e381..676a9a892 100644 --- a/rules/cross-platform/multiple_alerts_different_tactics_host.toml +++ b/rules/cross-platform/multiple_alerts_different_tactics_host.toml @@ -1,9 +1,7 @@ [metadata] creation_date = "2022/11/16" maturity = "production" -updated_date = "2023/06/22" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -18,8 +16,8 @@ false_positives = [ """, ] from = "now-24h" -interval = "1h" index = [".alerts-security.*"] +interval = "1h" language = "kuery" license = "Elastic License v2" name = "Multiple Alerts in Different ATT&CK Tactics on a Single Host" @@ -34,10 +32,13 @@ query = ''' signal.rule.name:* and kibana.alert.rule.threat.tactic.id:* ''' + + [rule.threshold] field = ["host.id"] value = 1 - [[rule.threshold.cardinality]] field = "kibana.alert.rule.threat.tactic.id" value = 3 + + diff --git a/rules/cross-platform/multiple_alerts_involving_user.toml b/rules/cross-platform/multiple_alerts_involving_user.toml index a982df44d..076a1096e 100644 --- a/rules/cross-platform/multiple_alerts_involving_user.toml +++ b/rules/cross-platform/multiple_alerts_involving_user.toml @@ -1,9 +1,7 @@ [metadata] creation_date = "2022/11/16" maturity = "production" -updated_date = "2023/06/22" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,8 +18,8 @@ false_positives = [ """, ] from = "now-24h" -interval = "1h" index = [".alerts-security.*"] +interval = "1h" language = "kuery" license = "Elastic License v2" name = "Multiple Alerts Involving a User" @@ -36,10 +34,13 @@ query = ''' signal.rule.name:* and user.name:* and not user.id:("S-1-5-18" or "S-1-5-19" or "S-1-5-20") ''' + + [rule.threshold] field = ["user.name"] value = 1 - [[rule.threshold.cardinality]] field = "signal.rule.rule_id" value = 5 + + diff --git a/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml b/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml index b81101419..85d4432c0 100644 --- a/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml +++ b/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2023/09/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -29,14 +27,15 @@ references = [ risk_score = 47 rule_id = "93f47b6f-5728-4004-ba00-625083b3dcb0" severity = "medium" -tags = ["Domain: Endpoint", - "OS: macOS", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Persistence", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" @@ -70,27 +69,27 @@ event.category:file and event.type:change and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" @@ -99,7 +98,8 @@ reference = "https://attack.mitre.org/tactics/TA0006/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "file.path"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" + + diff --git a/rules/cross-platform/persistence_shell_profile_modification.toml b/rules/cross-platform/persistence_shell_profile_modification.toml index da32aff27..60a1afc60 100644 --- a/rules/cross-platform/persistence_shell_profile_modification.toml +++ b/rules/cross-platform/persistence_shell_profile_modification.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/09/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -24,13 +22,14 @@ references = ["https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware- risk_score = 47 rule_id = "e6c1a552-7776-44ad-ae0f-8746cc07773c" severity = "medium" -tags = ["Domain: Endpoint", - "OS: macOS", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" @@ -51,20 +50,22 @@ event.category:file and event.type:change and /Users/*/.zshenv) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.004" name = "Unix Shell Configuration Modification" reference = "https://attack.mitre.org/techniques/T1546/004/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml index af9946d38..71edbff42 100644 --- a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml +++ b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/22" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/02/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,16 +18,18 @@ name = "SSH Authorized Keys File Modification" risk_score = 47 rule_id = "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f" severity = "medium" -tags = ["Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Persistence", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" + query = ''' event.category:file and event.type:(change or creation) and file.name:("authorized_keys" or "authorized_keys2" or "/etc/ssh/sshd_config" or "/root/.ssh") and @@ -51,46 +51,46 @@ event.category:file and event.type:(change or creation) and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.004" name = "SSH Authorized Keys" reference = "https://attack.mitre.org/techniques/T1098/004/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" + [[rule.threat.technique]] id = "T1563" name = "Remote Service Session Hijacking" reference = "https://attack.mitre.org/techniques/T1563/" - [[rule.threat.technique.subtechnique]] id = "T1563.001" name = "SSH Hijacking" reference = "https://attack.mitre.org/techniques/T1563/001/" -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" -[[rule.threat.technique.subtechnique]] -id = "T1021.004" -name = "SSH" -reference = "https://attack.mitre.org/techniques/T1021/004/" [rule.threat.tactic] id = "TA0008" @@ -100,7 +100,8 @@ reference = "https://attack.mitre.org/tactics/TA0008/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" + + diff --git a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml index 7996a3987..7b5890723 100644 --- a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml +++ b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,7 +18,14 @@ name = "Potential Privilege Escalation via Sudoers File Modification" risk_score = 73 rule_id = "76152ca1-71d0-4003-9e37-0983e12832da" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml index 7a9979f25..0bbd44d85 100644 --- a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml +++ b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -24,7 +22,14 @@ name = "Setuid / Setgid Bit Set via chmod" risk_score = 21 rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml b/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml index bd3caf403..0fa030934 100644 --- a/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml +++ b/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml @@ -2,9 +2,7 @@ creation_date = "2021/02/03" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/01/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -33,9 +31,17 @@ references = [ risk_score = 73 rule_id = "f37f3054-d40b-49ac-aa9b-a786c74c58b8" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"] -type = "threshold" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" +type = "threshold" query = ''' event.category:process and event.type:start and diff --git a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml index f7b7b826d..23c493369 100644 --- a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml +++ b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/13" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2023/12/18" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -21,13 +19,13 @@ risk_score = 47 rule_id = "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4" severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" @@ -37,19 +35,20 @@ not process.name:(dpkg or platform-python or puppet or yum or dnf) and not process.executable:(/opt/chef/embedded/bin/ruby or /opt/puppetlabs/puppet/bin/ruby or /usr/bin/dockerd) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" @@ -58,7 +57,8 @@ reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "file.path"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" + + diff --git a/rules/cross-platform/threat_intel_indicator_match_address.toml b/rules/cross-platform/threat_intel_indicator_match_address.toml index 55abba3f2..07ed6b5d0 100644 --- a/rules/cross-platform/threat_intel_indicator_match_address.toml +++ b/rules/cross-platform/threat_intel_indicator_match_address.toml @@ -1,12 +1,7 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2024/01/17" -min_stack_comments = """ -Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match -general rules. -""" -min_stack_version = "8.5.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -33,6 +28,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -103,7 +99,7 @@ This rule is triggered when an IP address indicator from the Threat Intel Filebe references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", - "https://www.elastic.co/security/tip" + "https://www.elastic.co/security/tip", ] risk_score = 99 rule_id = "0c41e478-5263-4c69-8f9e-7dfd2c22da64" @@ -118,72 +114,74 @@ More information can be found [here](https://www.elastic.co/guide/en/security/cu """ severity = "critical" tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"] +threat_index = ["filebeat-*", "logs-ti_*"] +threat_indicator_path = "threat.indicator" +threat_language = "kuery" +threat_query = """ +@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not +labels.is_ioc_transform_source:"true" +""" timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e" timeline_title = "Generic Threat Match Timeline" timestamp_override = "event.ingested" type = "threat_match" -threat_index = ["filebeat-*", "logs-ti_*"] -threat_indicator_path = "threat.indicator" -threat_language = "kuery" - -threat_query = ''' -@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and - not labels.is_ioc_transform_source:"true" -''' - -query = """ +query = ''' source.ip:* or destination.ip:* -""" +''' [[rule.threat_filters]] + [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -negate = false disabled = false -type = "phrase" key = "event.category" +negate = false +type = "phrase" [rule.threat_filters.meta.params] query = "threat" [rule.threat_filters.query.match_phrase] "event.category" = "threat" - [[rule.threat_filters]] + [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -negate = false disabled = false -type = "phrase" key = "event.kind" +negate = false +type = "phrase" [rule.threat_filters.meta.params] query = "enrichment" [rule.threat_filters.query.match_phrase] "event.kind" = "enrichment" - [[rule.threat_filters]] + [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -negate = false disabled = false -type = "phrase" key = "event.type" +negate = false +type = "phrase" [rule.threat_filters.meta.params] query = "indicator" [rule.threat_filters.query.match_phrase] "event.type" = "indicator" - [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "source.ip" type = "mapping" value = "threat.indicator.ip" [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "destination.ip" type = "mapping" value = "threat.indicator.ip" + + diff --git a/rules/cross-platform/threat_intel_indicator_match_hash.toml b/rules/cross-platform/threat_intel_indicator_match_hash.toml index 5b6ea5fe0..54bc25feb 100644 --- a/rules/cross-platform/threat_intel_indicator_match_hash.toml +++ b/rules/cross-platform/threat_intel_indicator_match_hash.toml @@ -1,12 +1,7 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2024/01/17" -min_stack_comments = """ -Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match -general rules. -""" -min_stack_version = "8.5.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -33,11 +28,12 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ -This rule is triggered when a hash indicator from the Threat Intel Filebeat module or integrations has a match against an -event that contains file hashes, such as antivirus alerts, process creation, library load, and file operation events. +This rule is triggered when a hash indicator from the Threat Intel Filebeat module or integrations has a match against +an event that contains file hashes, such as antivirus alerts, process creation, library load, and file operation events. """ from = "now-65m" index = ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "winlogbeat-*"] @@ -102,7 +98,7 @@ This rule is triggered when a hash indicator from the Threat Intel Filebeat modu references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", - "https://www.elastic.co/security/tip" + "https://www.elastic.co/security/tip", ] risk_score = 99 rule_id = "aab184d3-72b3-4639-b242-6597c99d8bca" @@ -117,115 +113,123 @@ More information can be found [here](https://www.elastic.co/guide/en/security/cu """ severity = "critical" tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"] +threat_index = ["filebeat-*", "logs-ti_*"] +threat_indicator_path = "threat.indicator" +threat_language = "kuery" +threat_query = """ +@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and (threat.indicator.file.hash.*:* or +threat.indicator.file.pe.imphash:*) and not labels.is_ioc_transform_source:"true" +""" timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e" timeline_title = "Generic Threat Match Timeline" timestamp_override = "event.ingested" type = "threat_match" -threat_index = ["filebeat-*", "logs-ti_*"] -threat_indicator_path = "threat.indicator" -threat_language = "kuery" - -threat_query = ''' -@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and - (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:*) and - not labels.is_ioc_transform_source:"true" -''' - -query = """ +query = ''' file.hash.*:* or process.hash.*:* or dll.hash.*:* -""" +''' [[rule.threat_filters]] + [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -negate = false disabled = false -type = "phrase" key = "event.category" +negate = false +type = "phrase" [rule.threat_filters.meta.params] query = "threat" [rule.threat_filters.query.match_phrase] "event.category" = "threat" - [[rule.threat_filters]] + [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -negate = false disabled = false -type = "phrase" key = "event.kind" +negate = false +type = "phrase" [rule.threat_filters.meta.params] query = "enrichment" [rule.threat_filters.query.match_phrase] "event.kind" = "enrichment" - [[rule.threat_filters]] + [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -negate = false disabled = false -type = "phrase" key = "event.type" +negate = false +type = "phrase" [rule.threat_filters.meta.params] query = "indicator" [rule.threat_filters.query.match_phrase] "event.type" = "indicator" - [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "file.hash.md5" type = "mapping" value = "threat.indicator.file.hash.md5" [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "file.hash.sha1" type = "mapping" value = "threat.indicator.file.hash.sha1" [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "file.hash.sha256" type = "mapping" value = "threat.indicator.file.hash.sha256" [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "dll.hash.md5" type = "mapping" value = "threat.indicator.file.hash.md5" [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "dll.hash.sha1" type = "mapping" value = "threat.indicator.file.hash.sha1" [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "dll.hash.sha256" type = "mapping" value = "threat.indicator.file.hash.sha256" [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "process.hash.md5" type = "mapping" value = "threat.indicator.file.hash.md5" [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "process.hash.sha1" type = "mapping" value = "threat.indicator.file.hash.sha1" [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "process.hash.sha256" type = "mapping" value = "threat.indicator.file.hash.sha256" + + diff --git a/rules/cross-platform/threat_intel_indicator_match_registry.toml b/rules/cross-platform/threat_intel_indicator_match_registry.toml index 3cb6742cb..fee4820ef 100644 --- a/rules/cross-platform/threat_intel_indicator_match_registry.toml +++ b/rules/cross-platform/threat_intel_indicator_match_registry.toml @@ -1,12 +1,7 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2024/01/17" -min_stack_comments = """ -Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match -general rules. -""" -min_stack_version = "8.5.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -33,6 +28,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -97,7 +93,7 @@ This rule is triggered when a Windows registry indicator from the Threat Intel F references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", - "https://www.elastic.co/security/tip" + "https://www.elastic.co/security/tip", ] risk_score = 99 rule_id = "a61809f3-fb5b-465c-8bff-23a8a068ac60" @@ -112,66 +108,67 @@ More information can be found [here](https://www.elastic.co/guide/en/security/cu """ severity = "critical" tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"] +threat_index = ["filebeat-*", "logs-ti_*"] +threat_indicator_path = "threat.indicator" +threat_language = "kuery" +threat_query = """ +@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.registry.path:* and not +labels.is_ioc_transform_source:"true" +""" timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e" timeline_title = "Generic Threat Match Timeline" timestamp_override = "event.ingested" type = "threat_match" -threat_index = ["filebeat-*", "logs-ti_*"] -threat_indicator_path = "threat.indicator" -threat_language = "kuery" - -threat_query = ''' -@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.registry.path:* and - not labels.is_ioc_transform_source:"true" -''' - -query = """ +query = ''' registry.path:* -""" +''' [[rule.threat_filters]] + [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -negate = false disabled = false -type = "phrase" key = "event.category" +negate = false +type = "phrase" [rule.threat_filters.meta.params] query = "threat" [rule.threat_filters.query.match_phrase] "event.category" = "threat" - [[rule.threat_filters]] + [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -negate = false disabled = false -type = "phrase" key = "event.kind" +negate = false +type = "phrase" [rule.threat_filters.meta.params] query = "enrichment" [rule.threat_filters.query.match_phrase] "event.kind" = "enrichment" - [[rule.threat_filters]] + [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -negate = false disabled = false -type = "phrase" key = "event.type" +negate = false +type = "phrase" [rule.threat_filters.meta.params] query = "indicator" [rule.threat_filters.query.match_phrase] "event.type" = "indicator" - [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "registry.path" type = "mapping" value = "threat.indicator.registry.path" + + diff --git a/rules/cross-platform/threat_intel_indicator_match_url.toml b/rules/cross-platform/threat_intel_indicator_match_url.toml index ea456406c..cba88abb5 100644 --- a/rules/cross-platform/threat_intel_indicator_match_url.toml +++ b/rules/cross-platform/threat_intel_indicator_match_url.toml @@ -1,12 +1,7 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2024/01/17" -min_stack_comments = """ -Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match -general rules. -""" -min_stack_version = "8.5.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -33,6 +28,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -106,7 +102,7 @@ This rule is triggered when a URL indicator from the Threat Intel Filebeat modul references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", - "https://www.elastic.co/security/tip" + "https://www.elastic.co/security/tip", ] risk_score = 99 rule_id = "f3e22c8b-ea47-45d1-b502-b57b6de950b3" @@ -121,72 +117,74 @@ More information can be found [here](https://www.elastic.co/guide/en/security/cu """ severity = "critical" tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"] +threat_index = ["filebeat-*", "logs-ti_*"] +threat_indicator_path = "threat.indicator" +threat_language = "kuery" +threat_query = """ +@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.url.full:* and not +labels.is_ioc_transform_source:"true" +""" timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e" timeline_title = "Generic Threat Match Timeline" timestamp_override = "event.ingested" type = "threat_match" -threat_index = ["filebeat-*", "logs-ti_*"] -threat_indicator_path = "threat.indicator" -threat_language = "kuery" - -threat_query = ''' -@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and - threat.indicator.url.full:* and not labels.is_ioc_transform_source:"true" -''' - -query = """ +query = ''' url.full:* -""" +''' [[rule.threat_filters]] + [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -negate = false disabled = false -type = "phrase" key = "event.category" +negate = false +type = "phrase" [rule.threat_filters.meta.params] query = "threat" [rule.threat_filters.query.match_phrase] "event.category" = "threat" - [[rule.threat_filters]] + [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -negate = false disabled = false -type = "phrase" key = "event.kind" +negate = false +type = "phrase" [rule.threat_filters.meta.params] query = "enrichment" [rule.threat_filters.query.match_phrase] "event.kind" = "enrichment" - [[rule.threat_filters]] + [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -negate = false disabled = false -type = "phrase" key = "event.type" +negate = false +type = "phrase" [rule.threat_filters.meta.params] query = "indicator" [rule.threat_filters.query.match_phrase] "event.type" = "indicator" - [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "url.full" type = "mapping" value = "threat.indicator.url.full" [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "url.original" type = "mapping" value = "threat.indicator.url.original" + + diff --git a/rules/integrations/aws/collection_cloudtrail_logging_created.toml b/rules/integrations/aws/collection_cloudtrail_logging_created.toml index 3ecd07148..f4c31b3d2 100644 --- a/rules/integrations/aws/collection_cloudtrail_logging_created.toml +++ b/rules/integrations/aws/collection_cloudtrail_logging_created.toml @@ -2,9 +2,7 @@ creation_date = "2020/06/10" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,7 +30,13 @@ references = [ risk_score = 21 rule_id = "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Tactic: Collection"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Log Auditing", + "Tactic: Collection", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml b/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml index a092d575a..cbb1e5613 100644 --- a/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml +++ b/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml @@ -2,9 +2,7 @@ creation_date = "2024/04/10" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to 2.0.0" -min_stack_version = "8.3.0" -updated_date = "2024/05/13" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -19,7 +17,6 @@ language = "kuery" license = "Elastic License v2" name = "AWS EC2 Admin Credential Fetch via Assumed Role" note = """ - ## Triage and Analysis ### Investigating AWS EC2 Admin Credential Fetch via Assumed Role diff --git a/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml b/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml index 17ca61309..fd03af121 100644 --- a/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml +++ b/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/16" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -76,10 +74,10 @@ tags = [ "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Credential Access" + "Tactic: Credential Access", ] -type = "threshold" timestamp_override = "event.ingested" +type = "threshold" query = ''' event.dataset:aws.cloudtrail and diff --git a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml index 18248e825..5e6d6ebea 100644 --- a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml +++ b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml @@ -2,9 +2,7 @@ creation_date = "2020/06/04" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml b/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml index 6365cc34c..e5e939edf 100644 --- a/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml +++ b/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml @@ -2,16 +2,18 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Nick Jones", "Elastic"] description = """ -An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service may attempt to leverage the compromised service to access secrets in AWS Secrets Manager. This rule looks for the first time a specific user identity has programmatically retrieved a specific secret value from Secrets Manager using the `GetSecretValue` action. - -This rule assumes that AWS services such as Lambda functions and EC2 instances are setup with IAM role's assigned that have the necessary permissions to access the secrets in Secrets Manager. An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service would rely on the compromised service's IAM role to access the secrets in Secrets Manager. +An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service may +attempt to leverage the compromised service to access secrets in AWS Secrets Manager. This rule looks for the first time +a specific user identity has programmatically retrieved a specific secret value from Secrets Manager using the +`GetSecretValue` action. This rule assumes that AWS services such as Lambda functions and EC2 instances are setup with +IAM role's assigned that have the necessary permissions to access the secrets in Secrets Manager. An adversary with +access to a compromised AWS service such as an EC2 instance, Lambda function, or other service would rely on the +compromised service's IAM role to access the secrets in Secrets Manager. """ false_positives = [ """ @@ -78,7 +80,7 @@ The AWS Fleet integration, Filebeat module, or similarly structured data is requ references = [ "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html", "https://detectioninthe.cloud/ttps/credential_access/access_secret_in_secrets_manager/", - "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum" + "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum", ] risk_score = 47 rule_id = "a00681e3-9ed6-447c-ab2c-be648821c622" diff --git a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml index 889e6d56a..e8cfdda99 100644 --- a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml +++ b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/21" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -31,9 +29,15 @@ references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.htm risk_score = 73 rule_id = "4d50a94f-2844-43fa-8395-6afbd5e1c5ef" severity = "high" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] -type = "threshold" +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access", +] timestamp_override = "event.ingested" +type = "threshold" query = ''' event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml index fab6ee327..0bbea8b84 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/26" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -76,7 +74,14 @@ references = [ risk_score = 47 rule_id = "7024e2a0-315d-4334-bb1a-441c593e16ab" severity = "medium" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Log Auditing", + "Resources: Investigation Guide", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml index 6d1ee6ef2..72227a18a 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml @@ -2,9 +2,7 @@ creation_date = "2020/06/10" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -80,7 +78,14 @@ references = [ risk_score = 47 rule_id = "1aa8fa52-44a7-4dae-b058-f3333b91c8d7" severity = "medium" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Log Auditing", + "Resources: Investigation Guide", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml index 3d5915bd6..11861b990 100644 --- a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml +++ b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/06/15" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -82,7 +80,13 @@ references = [ risk_score = 47 rule_id = "f772ec8a-e182-483c-91d2-72058f76a44c" severity = "medium" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Resources: Investigation Guide", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Resources: Investigation Guide", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml index 451dda334..855c53f63 100644 --- a/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml +++ b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/06/26" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] @@ -80,7 +78,13 @@ references = [ risk_score = 21 rule_id = "7024e2a0-315d-4334-bb1a-552d604f27bc" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Resources: Investigation Guide", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Resources: Investigation Guide", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml index cc02cd56a..c0cd38ab2 100644 --- a/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml +++ b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml @@ -2,9 +2,7 @@ creation_date = "2020/06/16" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml b/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml index 7f1090ef1..3c803b5f4 100644 --- a/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml +++ b/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/06/15" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -79,7 +77,14 @@ references = [ risk_score = 73 rule_id = "9395fd2c-9947-4472-86ef-4aceb2f7e872" severity = "high" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Log Auditing", + "Resources: Investigation Guide", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml b/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml index 1db8508a9..fb2e47ad9 100644 --- a/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml +++ b/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/26" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -37,7 +35,13 @@ references = [ risk_score = 47 rule_id = "8623535c-1e17-44e1-aa97-7a0699c3037d" severity = "medium" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Network Security Monitoring", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml b/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml index 5d5500605..d39dcc0b0 100644 --- a/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml +++ b/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/19" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml b/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml index bb65f1940..a496a341a 100644 --- a/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml +++ b/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/19" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/aws/defense_evasion_escalation_aws_suspicious_saml_activity.toml b/rules/integrations/aws/defense_evasion_escalation_aws_suspicious_saml_activity.toml index 2d034a9e7..9b150497c 100644 --- a/rules/integrations/aws/defense_evasion_escalation_aws_suspicious_saml_activity.toml +++ b/rules/integrations/aws/defense_evasion_escalation_aws_suspicious_saml_activity.toml @@ -2,9 +2,7 @@ creation_date = "2021/09/22" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] @@ -31,7 +29,13 @@ references = [ risk_score = 21 rule_id = "979729e7-0c52-4c4c-b71e-88103304a79f" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Identity and Access Audit", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml b/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml index 54e33b5a9..d0f4ad05d 100644 --- a/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml +++ b/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/28" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml b/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml index 15682431e..0df31df63 100644 --- a/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml +++ b/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2024/04/12" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/05/06" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -21,7 +19,6 @@ language = "kuery" license = "Elastic License v2" name = "Route53 Resolver Query Log Configuration Deleted" note = """ - ## Triage and Analysis ### Investigating Route53 Resolver Query Log Configuration Deleted diff --git a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml index 0777ffc65..ceb62849c 100644 --- a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml +++ b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/27" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -35,7 +33,13 @@ references = [ risk_score = 21 rule_id = "227dc608-e558-43d9-b521-150772250bae" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Asset Visibility", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml b/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml index 749b42b06..33ddcf375 100644 --- a/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml +++ b/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/21" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,7 +30,13 @@ references = [ risk_score = 47 rule_id = "91d04cd4-47a9-4334-ab14-084abe274d49" severity = "medium" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Network Security Monitoring", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml b/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml index a83cccbfa..1206af849 100644 --- a/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml +++ b/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/06/09" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,7 +30,13 @@ references = [ risk_score = 47 rule_id = "5beaebc1-cc13-4bfc-9949-776f9e0dc318" severity = "medium" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Network Security Monitoring", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml b/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml index 04631d878..bc1ecf1da 100644 --- a/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml +++ b/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml @@ -2,9 +2,7 @@ creation_date = "2024/04/16" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/05/13" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -26,7 +24,6 @@ language = "kuery" license = "Elastic License v2" name = "EC2 AMI Shared with Another Account" note = """ - ## Triage and Analysis ### Investigating EC2 AMI Shared with Another Account diff --git a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml index a305bc80d..e809fcaf2 100644 --- a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml +++ b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml @@ -2,9 +2,7 @@ creation_date = "2021/05/05" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] @@ -36,7 +34,14 @@ references = [ risk_score = 47 rule_id = "c1812764-0788-470f-8e74-eb4a14d47573" severity = "medium" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Exfiltration", "Tactic: Collection"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Network Security Monitoring", + "Tactic: Exfiltration", + "Tactic: Collection", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml b/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml index 24f65ef73..cb94ddfe2 100644 --- a/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml +++ b/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/06/24" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml b/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml index 79bb43917..6b99a4eed 100644 --- a/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml +++ b/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml @@ -2,9 +2,7 @@ creation_date = "2021/04/22" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] @@ -32,7 +30,14 @@ references = ["https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.h risk_score = 21 rule_id = "e919611d-6b6f-493b-8314-7ed6ac2e413b" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Exfiltration", "Tactic: Collection"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Asset Visibility", + "Tactic: Exfiltration", + "Tactic: Collection", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml index e76a934dc..3acc55c15 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml @@ -2,9 +2,7 @@ creation_date = "2021/06/06" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] @@ -29,7 +27,13 @@ references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Sta risk_score = 21 rule_id = "119c8877-8613-416d-a98a-96b6664ee73a" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Exfiltration"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Asset Visibility", + "Tactic: Exfiltration", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml b/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml index 8197da77b..fb21fe2f6 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml @@ -2,9 +2,7 @@ creation_date = "2021/06/29" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] @@ -34,7 +32,13 @@ references = [ risk_score = 47 rule_id = "bf1073bf-ce26-4607-b405-ba1ed8e9e204" severity = "medium" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Asset Visibility", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml index 6059acca4..4dced14d7 100644 --- a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml +++ b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/17" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml index aa38f0674..48494c6f3 100644 --- a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml +++ b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml @@ -2,9 +2,7 @@ creation_date = "2020/06/10" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -76,7 +74,15 @@ references = [ risk_score = 21 rule_id = "3e002465-876f-4f04-b016-84ef48ce7e5d" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Cloudtrail", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Impact"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Cloudtrail", + "Use Case: Log Auditing", + "Resources: Investigation Guide", + "Tactic: Impact", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml index 35f56683f..a51d7148e 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/18" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -81,7 +79,15 @@ references = [ risk_score = 47 rule_id = "68a7a5a5-a2fc-4a76-ba9f-26849de881b4" severity = "medium" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS CloudWatch", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Impact"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS CloudWatch", + "Use Case: Log Auditing", + "Resources: Investigation Guide", + "Tactic: Impact", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml index f9f57c997..f673d30df 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/20" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml index efaedd396..06305eb89 100644 --- a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml +++ b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml @@ -2,9 +2,7 @@ creation_date = "2020/06/05" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -36,7 +34,13 @@ references = [ risk_score = 47 rule_id = "bb9b13b2-1700-48a8-a750-b43b0a72ab69" severity = "medium" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Tactic: Impact"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS EC2", + "Tactic: Impact", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml b/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml index 7bfe24021..289a12509 100644 --- a/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml +++ b/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml @@ -2,9 +2,7 @@ creation_date = "2021/08/27" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml index c908c752f..c9d1fb8a1 100644 --- a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml +++ b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/26" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] @@ -75,7 +73,14 @@ references = [ risk_score = 47 rule_id = "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958" severity = "medium" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Resources: Investigation Guide", "Tactic: Impact"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS IAM", + "Resources: Investigation Guide", + "Tactic: Impact", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_iam_group_deletion.toml b/rules/integrations/aws/impact_iam_group_deletion.toml index 6c8c05f71..97463e977 100644 --- a/rules/integrations/aws/impact_iam_group_deletion.toml +++ b/rules/integrations/aws/impact_iam_group_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/21" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -35,7 +33,13 @@ references = [ risk_score = 21 rule_id = "867616ec-41e5-4edc-ada2-ab13ab45de8a" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Tactic: Impact"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS IAM", + "Tactic: Impact", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml b/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml index 6eb74194e..11c2d1333 100644 --- a/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml +++ b/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2022/09/21" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Xavier Pich"] @@ -37,7 +35,14 @@ references = [ risk_score = 47 rule_id = "6951f15e-533c-4a60-8014-a3c3ab851a1b" severity = "medium" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS KMS", "Use Case: Log Auditing", "Tactic: Impact"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS KMS", + "Use Case: Log Auditing", + "Tactic: Impact", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_rds_group_deletion.toml b/rules/integrations/aws/impact_rds_group_deletion.toml index 4f13ca6bb..989081659 100644 --- a/rules/integrations/aws/impact_rds_group_deletion.toml +++ b/rules/integrations/aws/impact_rds_group_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2021/06/05" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] @@ -30,7 +28,13 @@ references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Del risk_score = 21 rule_id = "863cdf31-7fd3-41cf-a185-681237ea277b" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Tactic: Impact"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS RDS", + "Tactic: Impact", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml b/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml index 571098c77..8648fe434 100644 --- a/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/21" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -39,7 +37,14 @@ references = [ risk_score = 47 rule_id = "9055ece6-2689-4224-a0e0-b04881e1f8ad" severity = "medium" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Use Case: Asset Visibility", "Tactic: Impact"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS RDS", + "Use Case: Asset Visibility", + "Tactic: Impact", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml b/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml index 423869ff9..ecdf99bd4 100644 --- a/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/20" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -34,7 +32,14 @@ references = [ risk_score = 47 rule_id = "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d" severity = "medium" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Use Case: Asset Visibility", "Tactic: Impact"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS RDS", + "Use Case: Asset Visibility", + "Tactic: Impact", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/initial_access_console_login_root.toml b/rules/integrations/aws/initial_access_console_login_root.toml index e42fe045a..de2126e08 100644 --- a/rules/integrations/aws/initial_access_console_login_root.toml +++ b/rules/integrations/aws/initial_access_console_login_root.toml @@ -2,9 +2,7 @@ creation_date = "2020/06/11" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -72,7 +70,7 @@ tags = [ "Data Source: AWS Signin", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Initial Access" + "Tactic: Initial Access", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/initial_access_password_recovery.toml b/rules/integrations/aws/initial_access_password_recovery.toml index 05f43038b..76273e283 100644 --- a/rules/integrations/aws/initial_access_password_recovery.toml +++ b/rules/integrations/aws/initial_access_password_recovery.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/02" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,7 +30,14 @@ references = ["https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/"] risk_score = 21 rule_id = "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Signin", "Use Case: Identity and Access Audit", "Tactic: Initial Access"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Signin", + "Use Case: Identity and Access Audit", + "Tactic: Initial Access", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/initial_access_via_system_manager.toml b/rules/integrations/aws/initial_access_via_system_manager.toml index 378c45ce1..7f7beade8 100644 --- a/rules/integrations/aws/initial_access_via_system_manager.toml +++ b/rules/integrations/aws/initial_access_via_system_manager.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml index 2e7f5fb50..8b7f1512a 100644 --- a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml +++ b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2020/07/13" -maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2023/10/24" integration = ["aws"] +maturity = "production" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -87,6 +85,13 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "78d3d8d9-b476-451d-a9e0-7a5addd70670" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide", +] type = "machine_learning" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml index f0622af6c..0ebbb531d 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2020/07/13" -maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2023/10/24" integration = ["aws"] +maturity = "production" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -89,6 +87,13 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "19de8096-e2b0-4bd8-80c9-34a820813fff" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide", +] type = "machine_learning" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml index ae2cf411b..947265fdc 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2020/07/13" -maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2023/10/24" integration = ["aws"] +maturity = "production" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -91,6 +89,13 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "809b70d3-e2c3-455e-af1b-2626a5a1a276" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide", +] type = "machine_learning" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml index dae363dc1..1cb446348 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2020/07/13" -maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2023/10/24" integration = ["aws"] +maturity = "production" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -91,6 +89,13 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "dca28dee-c999-400f-b640-50a081cc0fd1" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide", +] type = "machine_learning" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml index b2e817bfc..88a65f683 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2020/07/13" -maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2023/10/24" integration = ["aws"] +maturity = "production" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -89,6 +87,13 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide", +] type = "machine_learning" diff --git a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml index 2fd07cb29..0ec4ba8c4 100644 --- a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml +++ b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml @@ -2,9 +2,7 @@ creation_date = "2020/06/04" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -37,7 +35,14 @@ references = [ risk_score = 21 rule_id = "39144f38-5284-4f8e-a2ae-e3fd628d90b0" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Use Case: Network Security Monitoring", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS EC2", + "Use Case: Network Security Monitoring", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml index 70e77bbf7..356547289 100644 --- a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml +++ b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml @@ -2,9 +2,7 @@ creation_date = "2021/05/05" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] @@ -33,7 +31,14 @@ references = ["https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-securi risk_score = 21 rule_id = "29052c19-ff3e-42fd-8363-7be14d7c5469" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Use Case: Network Security Monitoring", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS EC2", + "Use Case: Network Security Monitoring", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_iam_group_creation.toml b/rules/integrations/aws/persistence_iam_group_creation.toml index c638a8967..5d678c72d 100644 --- a/rules/integrations/aws/persistence_iam_group_creation.toml +++ b/rules/integrations/aws/persistence_iam_group_creation.toml @@ -2,9 +2,7 @@ creation_date = "2020/06/05" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -35,7 +33,14 @@ references = [ risk_score = 21 rule_id = "169f3a93-efc7-4df2-94d6-0d9438c310d1" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS IAM", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_rds_cluster_creation.toml b/rules/integrations/aws/persistence_rds_cluster_creation.toml index 840f8a3c2..352fd7c48 100644 --- a/rules/integrations/aws/persistence_rds_cluster_creation.toml +++ b/rules/integrations/aws/persistence_rds_cluster_creation.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/20" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -37,7 +35,14 @@ references = [ risk_score = 21 rule_id = "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Use Case: Asset Visibility", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS RDS", + "Use Case: Asset Visibility", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_rds_group_creation.toml b/rules/integrations/aws/persistence_rds_group_creation.toml index 70265434c..1140f4e4e 100644 --- a/rules/integrations/aws/persistence_rds_group_creation.toml +++ b/rules/integrations/aws/persistence_rds_group_creation.toml @@ -2,9 +2,7 @@ creation_date = "2021/06/05" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] @@ -29,7 +27,13 @@ references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Cre risk_score = 21 rule_id = "378f9024-8a0c-46a5-aa08-ce147ac73a4e" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS RDS", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_rds_instance_creation.toml b/rules/integrations/aws/persistence_rds_instance_creation.toml index bab383568..ba167a1cb 100644 --- a/rules/integrations/aws/persistence_rds_instance_creation.toml +++ b/rules/integrations/aws/persistence_rds_instance_creation.toml @@ -2,9 +2,7 @@ creation_date = "2021/06/06" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] @@ -29,7 +27,14 @@ references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Cre risk_score = 21 rule_id = "f30f3443-4fbb-4c27-ab89-c3ad49d62315" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Use Case: Asset Visibility", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS RDS", + "Use Case: Asset Visibility", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_redshift_instance_creation.toml b/rules/integrations/aws/persistence_redshift_instance_creation.toml index 5160db70a..ee4a8e87d 100644 --- a/rules/integrations/aws/persistence_redshift_instance_creation.toml +++ b/rules/integrations/aws/persistence_redshift_instance_creation.toml @@ -2,9 +2,7 @@ creation_date = "2022/04/12" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -33,7 +31,14 @@ references = ["https://docs.aws.amazon.com/redshift/latest/APIReference/API_Crea risk_score = 21 rule_id = "015cca13-8832-49ac-a01b-a396114809f6" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Redshift", "Use Case: Asset Visibility", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Redshift", + "Use Case: Asset Visibility", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml index 4e065c4fa..3adaff849 100644 --- a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml @@ -2,9 +2,7 @@ creation_date = "2021/05/10" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] @@ -35,7 +33,14 @@ references = [ risk_score = 21 rule_id = "12051077-0124-4394-9522-8f4f4db1d674" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Asset Visibility", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Route53", + "Use Case: Asset Visibility", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml index 166506aa7..758c5f25b 100644 --- a/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml @@ -2,9 +2,7 @@ creation_date = "2021/05/10" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] @@ -30,7 +28,14 @@ references = ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_Opera risk_score = 21 rule_id = "2045567e-b0af-444a-8c0b-0b6e2dae9e13" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Asset Visibility", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Route53", + "Use Case: Asset Visibility", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml index 7b763c72d..50c7b0fa2 100644 --- a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml +++ b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/19" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] @@ -29,7 +27,14 @@ references = ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_Assoc risk_score = 21 rule_id = "e3c27562-709a-42bd-82f2-3ed926cced19" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Asset Visibility", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Route53", + "Use Case: Asset Visibility", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_route_table_created.toml b/rules/integrations/aws/persistence_route_table_created.toml index b79c5f296..c254309c0 100644 --- a/rules/integrations/aws/persistence_route_table_created.toml +++ b/rules/integrations/aws/persistence_route_table_created.toml @@ -2,9 +2,7 @@ creation_date = "2021/06/05" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] @@ -34,7 +32,14 @@ references = [ risk_score = 21 rule_id = "e12c0318-99b1-44f2-830c-3a38a43207ca" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Network Security Monitoring", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Route53", + "Use Case: Network Security Monitoring", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml b/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml index 6f3cc8f42..8829dc165 100644 --- a/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml +++ b/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml @@ -2,9 +2,7 @@ creation_date = "2021/06/05" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] @@ -38,7 +36,14 @@ references = [ risk_score = 21 rule_id = "e7cd5982-17c8-4959-874c-633acde7d426" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Network Security Monitoring", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Route53", + "Use Case: Network Security Monitoring", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml b/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml index 903cb9c1b..3e8adc73b 100644 --- a/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml +++ b/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -77,7 +75,7 @@ tags = [ "Data Source: AWS Route53", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Privilege Escalation" + "Tactic: Privilege Escalation", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml index c81aedb04..1cc2fd23f 100644 --- a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml +++ b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml @@ -2,9 +2,7 @@ creation_date = "2021/05/17" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] @@ -24,7 +22,14 @@ references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRol risk_score = 21 rule_id = "93075852-b0f5-4b8b-89c3-a226efae5726" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS STS", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS STS", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml b/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml index 48ce9ac22..7bde75f67 100644 --- a/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml +++ b/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml @@ -2,9 +2,7 @@ creation_date = "2021/05/17" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] @@ -30,7 +28,14 @@ references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessio risk_score = 21 rule_id = "b45ab1d2-712f-4f01-a751-df3826969807" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS STS", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS STS", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml b/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml index 53313087b..979d9ef46 100644 --- a/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml +++ b/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -78,7 +76,7 @@ tags = [ "Data Source: AWS STS", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Privilege Escalation" + "Tactic: Privilege Escalation", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/collection_update_event_hub_auth_rule.toml b/rules/integrations/azure/collection_update_event_hub_auth_rule.toml index e6087f04f..b3ffe646b 100644 --- a/rules/integrations/azure/collection_update_event_hub_auth_rule.toml +++ b/rules/integrations/azure/collection_update_event_hub_auth_rule.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -55,7 +53,6 @@ reference = "https://attack.mitre.org/techniques/T1530/" id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml b/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml index 301b47cc7..92c23e47a 100644 --- a/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml +++ b/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml @@ -2,9 +2,7 @@ creation_date = "2021/08/12" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/28" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/azure/credential_access_key_vault_modified.toml b/rules/integrations/azure/credential_access_key_vault_modified.toml index 60f60148c..b58c6dfac 100644 --- a/rules/integrations/azure/credential_access_key_vault_modified.toml +++ b/rules/integrations/azure/credential_access_key_vault_modified.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml index 4373e0661..5f1e83dab 100644 --- a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml +++ b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/19" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -34,7 +32,12 @@ references = [ risk_score = 21 rule_id = "1e0b832e-957e-43ae-b319-db82d228c908" severity = "low" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml b/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml index 54c17bac9..e6d6c3ef2 100644 --- a/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml +++ b/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/14" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -36,7 +34,12 @@ references = [ risk_score = 47 rule_id = "1a36cace-11a7-43a8-9a10-b497c5a02cd3" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Identity and Access Audit", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml b/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml index 48d4d5cdd..50ea493d4 100644 --- a/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml +++ b/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml b/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml index 45331762b..7802a541a 100644 --- a/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml +++ b/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml @@ -2,9 +2,7 @@ creation_date = "2021/09/22" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] @@ -30,7 +28,13 @@ references = ["https://docs.microsoft.com/en-us/azure/role-based-access-control/ risk_score = 47 rule_id = "d79c4b2a-6134-4edd-86e6-564a92a933f9" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Identity and Access Audit", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml b/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml index 47626334d..3d1aed023 100644 --- a/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml +++ b/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/17" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml b/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml index 230a3c55e..cad7d6eec 100644 --- a/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml +++ b/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/14" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -81,7 +79,7 @@ tags = [ "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Defense Evasion" + "Tactic: Defense Evasion", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml index a12e6f744..b94eb74a5 100644 --- a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml +++ b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml index 438edb64f..f0c701c2c 100644 --- a/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -31,7 +29,12 @@ references = ["https://docs.microsoft.com/en-us/azure/firewall-manager/policy-ov risk_score = 21 rule_id = "e02bd3ea-72c6-4181-ac2b-0f83d17ad969" severity = "low" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Network Security Monitoring", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml index 4569cd69a..acea8b019 100644 --- a/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2021/08/01" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] @@ -35,7 +33,12 @@ references = [ risk_score = 21 rule_id = "09d028a5-dcde-409f-8ae0-557cef1b7082" severity = "low" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Network Security Monitoring", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml index 1d762fb49..12782cf9c 100644 --- a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml +++ b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml @@ -2,9 +2,7 @@ creation_date = "2021/06/24" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml index 1e460c72f..4bf9be6b0 100644 --- a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,7 +30,12 @@ references = ["https://docs.microsoft.com/en-us/azure/network-watcher/network-wa risk_score = 47 rule_id = "323cb487-279d-4218-bcbd-a568efe930c6" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Network Security Monitoring", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_suppression_rule_created.toml b/rules/integrations/azure/defense_evasion_suppression_rule_created.toml index d3ce5bbd3..5adfd45ab 100644 --- a/rules/integrations/azure/defense_evasion_suppression_rule_created.toml +++ b/rules/integrations/azure/defense_evasion_suppression_rule_created.toml @@ -2,9 +2,7 @@ creation_date = "2021/08/27" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/azure/discovery_blob_container_access_mod.toml b/rules/integrations/azure/discovery_blob_container_access_mod.toml index d0643bd18..61d9adf1f 100644 --- a/rules/integrations/azure/discovery_blob_container_access_mod.toml +++ b/rules/integrations/azure/discovery_blob_container_access_mod.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/execution_command_virtual_machine.toml b/rules/integrations/azure/execution_command_virtual_machine.toml index c23a07b5e..6913c697a 100644 --- a/rules/integrations/azure/execution_command_virtual_machine.toml +++ b/rules/integrations/azure/execution_command_virtual_machine.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/17" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml b/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml index beb326d83..d66662ddb 100644 --- a/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml +++ b/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml @@ -2,9 +2,7 @@ creation_date = "2021/05/05" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml index 6fb47608b..791f2c8c2 100644 --- a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml +++ b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml @@ -2,9 +2,7 @@ creation_date = "2021/06/24" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/azure/impact_resource_group_deletion.toml b/rules/integrations/azure/impact_resource_group_deletion.toml index e84b27820..6ccdd075a 100644 --- a/rules/integrations/azure/impact_resource_group_deletion.toml +++ b/rules/integrations/azure/impact_resource_group_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/17" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/impact_virtual_network_device_modified.toml b/rules/integrations/azure/impact_virtual_network_device_modified.toml index b8dfb12a9..f1e9e003e 100644 --- a/rules/integrations/azure/impact_virtual_network_device_modified.toml +++ b/rules/integrations/azure/impact_virtual_network_device_modified.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/12" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml index 7a19dec88..fb43d7cad 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/04" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Willem D'Haese"] @@ -79,7 +77,7 @@ tags = [ "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Initial Access" + "Tactic: Initial Access", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml index 18bec5776..1657100c3 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/18" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] @@ -74,7 +72,7 @@ tags = [ "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Initial Access" + "Tactic: Initial Access", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml b/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml index 759a39fb3..84c1ea44c 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/14" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -78,7 +76,7 @@ tags = [ "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Initial Access" + "Tactic: Initial Access", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml b/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml index d5fd491a1..8766f39fc 100644 --- a/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml +++ b/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/01" integration = ["azure", "o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -80,7 +78,7 @@ tags = [ "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Initial Access" + "Tactic: Initial Access", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_external_guest_user_invite.toml b/rules/integrations/azure/initial_access_external_guest_user_invite.toml index bd4236456..ec46d414b 100644 --- a/rules/integrations/azure/initial_access_external_guest_user_invite.toml +++ b/rules/integrations/azure/initial_access_external_guest_user_invite.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_automation_account_created.toml b/rules/integrations/azure/persistence_azure_automation_account_created.toml index c8018b94f..114f1210d 100644 --- a/rules/integrations/azure/persistence_azure_automation_account_created.toml +++ b/rules/integrations/azure/persistence_azure_automation_account_created.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml b/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml index 9b4723dc0..94aa992de 100644 --- a/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml +++ b/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_automation_webhook_created.toml b/rules/integrations/azure/persistence_azure_automation_webhook_created.toml index d0d03fc2d..370c2d78c 100644 --- a/rules/integrations/azure/persistence_azure_automation_webhook_created.toml +++ b/rules/integrations/azure/persistence_azure_automation_webhook_created.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml b/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml index a679e83b9..fda5b5dbb 100644 --- a/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml +++ b/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml index aed4975d3..d3509a4a0 100644 --- a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml +++ b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/06" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml b/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml index 913b40985..c27d826a2 100644 --- a/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml +++ b/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/24" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml b/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml index 6e2bcb3b6..fa292e7a4 100644 --- a/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml +++ b/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -75,7 +73,7 @@ tags = [ "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Persistence" + "Tactic: Persistence", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml b/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml index 73504c667..df2043ba4 100644 --- a/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml +++ b/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -69,7 +67,7 @@ tags = [ "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Persistence" + "Tactic: Persistence", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml index 976609b89..1da8d4b00 100644 --- a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml +++ b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml index 83a6a7834..cdb708184 100644 --- a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml +++ b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml b/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml index 09f19c7c6..c57337e5f 100644 --- a/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml +++ b/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/18" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] @@ -29,7 +27,12 @@ references = [ risk_score = 21 rule_id = "1c966416-60c1-436b-bfd0-e002fddbfd89" severity = "low" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/cloud_defend/container_workload_protection.toml b/rules/integrations/cloud_defend/container_workload_protection.toml index fe0d91851..af8cc879b 100644 --- a/rules/integrations/cloud_defend/container_workload_protection.toml +++ b/rules/integrations/cloud_defend/container_workload_protection.toml @@ -2,15 +2,13 @@ creation_date = "2023/04/05" integration = ["cloud_defend"] maturity = "production" -min_stack_comments = "Initial version of the Container Workload Protection alerts" -min_stack_version = "8.8.0" -updated_date = "2024/05/13" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Generates a detection alert each time a 'Container Workload Protection' alert is received. Enabling this rule allows you to -immediately begin triaging and investigating these alerts. +Generates a detection alert each time a 'Container Workload Protection' alert is received. Enabling this rule allows you +to immediately begin triaging and investigating these alerts. """ enabled = true from = "now-10m" @@ -39,3 +37,4 @@ type = "query" query = ''' event.kind:alert and event.module:cloud_defend ''' + diff --git a/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml index 4311d3809..da057f623 100644 --- a/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml @@ -2,52 +2,60 @@ creation_date = "2023/06/28" integration = ["cloud_defend"] maturity = "production" -min_stack_comments = "New Integration: Cloud Defend" -min_stack_version = "8.8.0" -updated_date = "2023/06/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = "This rule detects the use of system search utilities like grep and find to search for AWS credentials inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying cloud environment." +description = """ +This rule detects the use of system search utilities like grep and find to search for AWS credentials inside a +container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or +facilitate a container breakout to the underlying cloud environment. +""" from = "now-6m" index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" name = "AWS Credentials Searched For Inside A Container" -tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] -references = [ - "https://sysdig.com/blog/threat-detection-aws-cloud-containers/", -] +references = ["https://sysdig.com/blog/threat-detection-aws-cloud-containers/"] risk_score = 47 rule_id = "d0b0f3ed-0b37-44bf-adee-e8cb7de92767" severity = "medium" +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", +] timestamp_override = "event.ingested" type = "eql" -query = """ +query = ''' process where event.module == "cloud_defend" and event.type == "start" and /*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/ (process.name : ("grep", "egrep", "fgrep", "find", "locate", "mlocate") or process.args : ("grep", "egrep", "fgrep", "find", "locate", "mlocate")) and process.args : ("*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_token*", "*accesskeyid*", "*secretaccesskey*", "*access_key*", "*.aws/credentials*") -""" +''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" - [rule.threat.tactic] - id = "TA0006" - reference = "https://attack.mitre.org/tactics/TA0006/" - name = "Credential Access" - [[rule.threat.technique]] - id = "T1552" - reference = "https://attack.mitre.org/techniques/T1552/" - name = "Unsecured Credentials" - [[rule.threat.technique.subtechnique]] - id = "T1552.001" - reference = "https://attack.mitre.org/techniques/T1552/001/" - name = "Credentials In Files" +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml index 77b0d8b6a..ad37dcc18 100644 --- a/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml @@ -2,9 +2,7 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -min_stack_comments = "New Integration: Cloud Defend" -min_stack_version = "8.8.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -21,7 +19,14 @@ name = "Sensitive Files Compression Inside A Container" risk_score = 47 rule_id = "475b42f0-61fb-4ef0-8a85-597458bfb0a1" severity = "medium" -tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Credential Access"] +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Collection", + "Tactic: Credential Access", +] timestamp_override = "event.ingested" type = "eql" @@ -95,3 +100,4 @@ reference = "https://attack.mitre.org/techniques/T1560/001/" id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + diff --git a/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml index d1b2210cb..dc8fd0b0b 100644 --- a/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml @@ -2,30 +2,36 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -min_stack_comments = "New Integration: Cloud Defend" -min_stack_version = "8.8.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = "This rule detects the use of system search utilities like grep and find to search for private SSH keys or passwords inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying host machine." +description = """ +This rule detects the use of system search utilities like grep and find to search for private SSH keys or passwords +inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container +environment or facilitate a container breakout to the underlying host machine. +""" from = "now-6m" index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" name = "Sensitive Keys Or Passwords Searched For Inside A Container" -tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] -references = [ - "https://sysdig.com/blog/cve-2021-25741-kubelet-falco/", -] +references = ["https://sysdig.com/blog/cve-2021-25741-kubelet-falco/"] risk_score = 47 rule_id = "9661ed8b-001c-40dc-a777-0983b7b0c91a" severity = "medium" +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", +] timestamp_override = "event.ingested" type = "eql" -query = """ +query = ''' process where container.id: "*" and event.type== "start" and (( /*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/ @@ -39,22 +45,24 @@ or (process.name in ("find", "locate", "mlocate") or process.args in ("find", "locate", "mlocate")) and process.args : ("*id_rsa*", "*id_dsa*") )) -""" +''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" - [rule.threat.tactic] - id = "TA0006" - reference = "https://attack.mitre.org/tactics/TA0006/" - name = "Credential Access" - [[rule.threat.technique]] - id = "T1552" - reference = "https://attack.mitre.org/techniques/T1552/" - name = "Unsecured Credentials" - [[rule.threat.technique.subtechnique]] - id = "T1552.001" - reference = "https://attack.mitre.org/techniques/T1552/001/" - name = "Credentials In Files" +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml b/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml index 76e8dad4c..14581165c 100644 --- a/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml +++ b/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml @@ -2,17 +2,16 @@ creation_date = "2023/06/06" integration = ["cloud_defend"] maturity = "production" -min_stack_comments = "New Integration: Cloud Defend" -min_stack_version = "8.8.0" -updated_date = "2023/06/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule detects the creation or modification of the dynamic linker preload shared object (ld.so.preload) inside a container. -The Linux dynamic linker is used to load libraries needed by a program at runtime. Adversaries may hijack the dynamic linker by modifying -the /etc/ld.so.preload file to point to malicious libraries. This behavior can be used to grant unauthorized access to system resources and -has been used to evade detection of malicious processes in container environments. +This rule detects the creation or modification of the dynamic linker preload shared object (ld.so.preload) inside a +container. The Linux dynamic linker is used to load libraries needed by a program at runtime. Adversaries may hijack the +dynamic linker by modifying the /etc/ld.so.preload file to point to malicious libraries. This behavior can be used to +grant unauthorized access to system resources and has been used to evade detection of malicious processes in container +environments. """ from = "now-6m" index = ["logs-cloud_defend*"] @@ -22,9 +21,9 @@ license = "Elastic License v2" name = "Modification of Dynamic Linker Preload Shared Object Inside A Container" references = [ "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/", - "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang/", + "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang/", "https://sysdig.com/blog/threat-detection-aws-cloud-containers/", -] +] risk_score = 73 rule_id = "342f834b-21a6-41bf-878c-87d116eba3ee" severity = "high" @@ -54,3 +53,4 @@ reference = "https://attack.mitre.org/techniques/T1574/006/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml b/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml index cae35970e..bb9fab55b 100644 --- a/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml @@ -2,73 +2,88 @@ creation_date = "2023/04/26" integration = ["cloud_defend"] maturity = "production" -min_stack_comments = "New Integration: Cloud Defend" -min_stack_version = "8.8.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = "This rule detects commonly abused network utilities running inside a container. Network utilities like nc, nmap, dig, tcpdump, ngrep, telnet, mitmproxy, zmap can be used for malicious purposes such as network reconnaissance, monitoring, or exploitation, and should be monitored closely within a container." -false_positives = [""" - There is a potential for false positives if the container is used for legitimate tasks that require the use of network utilities, such as network troubleshooting, testing or system monitoring. It is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity. - """] +description = """ +This rule detects commonly abused network utilities running inside a container. Network utilities like nc, nmap, dig, +tcpdump, ngrep, telnet, mitmproxy, zmap can be used for malicious purposes such as network reconnaissance, monitoring, +or exploitation, and should be monitored closely within a container. +""" +false_positives = [ + """ + There is a potential for false positives if the container is used for legitimate tasks that require the use of + network utilities, such as network troubleshooting, testing or system monitoring. It is important to investigate any + alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate + container activity. + """, +] from = "now-6m" index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" name = "Suspicious Network Tool Launched Inside A Container" -tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Command and Control", "Tactic: Reconnaissance"] risk_score = 47 rule_id = "1a289854-5b78-49fe-9440-8a8096b1ab50" severity = "medium" +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Command and Control", + "Tactic: Reconnaissance", +] timestamp_override = "event.ingested" type = "eql" -query = """ +query = ''' process where container.id: "*" and event.type== "start" and ( (process.name: ("nc", "ncat", "nmap", "dig", "nslookup", "tcpdump", "tshark", "ngrep", "telnet", "mitmproxy", "socat", "zmap", "masscan", "zgrab")) or /*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/ (process.args: ("nc", "ncat", "nmap", "dig", "nslookup", "tcpdump", "tshark", "ngrep", "telnet", "mitmproxy", "socat", "zmap", "masscan", "zgrab")) ) -""" +''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" - [rule.threat.tactic] - id = "TA0007" - reference = "https://attack.mitre.org/tactics/TA0007/" - name = "Discovery" - - [[rule.threat.technique]] - id = "T1046" - reference = "https://attack.mitre.org/techniques/T1046/" - name = "Network Service Discovery" +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" - name = "Command and Control" - - [[rule.threat.technique]] - id = "T1105" - reference = "https://attack.mitre.org/techniques/T1105/" - name = "Ingress Tool Transfer" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" - [rule.threat.tactic] - id = "TA0043" - reference = "https://attack.mitre.org/tactics/TA0043/" - name = "Reconnaissance" - [[rule.threat.technique]] - id = "T1595" - reference = "https://attack.mitre.org/techniques/T1595/" - name = "Active Scanning" +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" + diff --git a/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml b/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml index 50f1e3610..24a7ee25a 100644 --- a/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml @@ -2,16 +2,23 @@ creation_date = "2023/04/26" integration = ["cloud_defend"] maturity = "production" -min_stack_comments = "New Integration: Cloud Defend" -min_stack_version = "8.8.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = "This rule detects when a container management binary is run from inside a container. These binaries are critical components of many containerized environments, and their presence and execution in unauthorized containers could indicate compromise or a misconfiguration." -false_positives = [""" - There is a potential for false positives if the container is used for legitimate administrative tasks that require the use of container management utilities, such as deploying, scaling, or updating containerized applications. It is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity. - """] +description = """ +This rule detects when a container management binary is run from inside a container. These binaries are critical +components of many containerized environments, and their presence and execution in unauthorized containers could +indicate compromise or a misconfiguration. +""" +false_positives = [ + """ + There is a potential for false positives if the container is used for legitimate administrative tasks that require + the use of container management utilities, such as deploying, scaling, or updating containerized applications. It is + important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity + or part of legitimate container activity. + """, +] from = "now-6m" index = ["logs-cloud_defend*"] interval = "5m" @@ -21,24 +28,32 @@ name = "Container Management Utility Run Inside A Container" risk_score = 21 rule_id = "6c6bb7ea-0636-44ca-b541-201478ef6b50" severity = "low" -tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", +] timestamp_override = "event.ingested" type = "eql" -query = """ +query = ''' process where container.id: "*" and event.type== "start" and process.name: ("dockerd", "docker", "kubelet", "kube-proxy", "kubectl", "containerd", "runc", "systemd", "crictl") -""" +''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" - [rule.threat.tactic] - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - name = "Execution" - [[rule.threat.technique]] - id = "T1609" - reference = "https://attack.mitre.org/techniques/T1609/" - name = "Container Administration Command" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml b/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml index 6a8e4acd1..64fb497ec 100644 --- a/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml @@ -2,13 +2,15 @@ creation_date = "2023/04/26" integration = ["cloud_defend"] maturity = "production" -min_stack_comments = "New Integration: Cloud Defend" -min_stack_version = "8.8.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = "This rule detects when chmod is used to add the execute permission to a file inside a container. Modifying file permissions to make a file executable could indicate malicious activity, as an attacker may attempt to run unauthorized or malicious code inside the container." +description = """ +This rule detects when chmod is used to add the execute permission to a file inside a container. Modifying file +permissions to make a file executable could indicate malicious activity, as an attacker may attempt to run unauthorized +or malicious code inside the container. +""" from = "now-6m" index = ["logs-cloud_defend*"] interval = "5m" @@ -18,45 +20,53 @@ name = "File Made Executable via Chmod Inside A Container" risk_score = 47 rule_id = "ec604672-bed9-43e1-8871-cf591c052550" severity = "medium" -tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion"] +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "eql" -query = """ +query = ''' file where container.id: "*" and event.type in ("change", "creation") and /*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/ (process.name : "chmod" or process.args : "chmod") and process.args : ("*x*", "777", "755", "754", "700") and not process.args: "-x" -""" +''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [rule.threat.tactic] - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - name = "Execution" - [[rule.threat.technique]] - id = "T1059" - reference = "https://attack.mitre.org/techniques/T1059/" - name = "Command and Scripting Interpreter" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1222" +name = "File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/" +[[rule.threat.technique.subtechnique]] +id = "T1222.002" +name = "Linux and Mac File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/002/" - [rule.threat.tactic] - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" - name = "Defense Evasion" - [[rule.threat.technique]] - id = "T1222" - reference = "https://attack.mitre.org/techniques/T1222/" - name = "File and Directory Permissions Modification" - [[rule.threat.technique.subtechnique]] - id = "T1222.002" - reference = "https://attack.mitre.org/techniques/T1222/002/" - name = "Linux and Mac File and Directory Permissions Modification" - +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml b/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml index 78e59f5f2..16de26f88 100644 --- a/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml +++ b/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml @@ -2,17 +2,16 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -min_stack_comments = "New Integration: Cloud Defend" -min_stack_version = "8.8.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ This rule detects interactive 'exec' events launched against a container using the 'exec' command. Using the 'exec' -command in a pod allows a user to establish a temporary shell session and execute any process/command inside the container. -This rule specifically targets higher-risk interactive commands that allow real-time interaction with a container's shell. -A malicious actor could use this level of access to further compromise the container environment or attempt a container breakout. +command in a pod allows a user to establish a temporary shell session and execute any process/command inside the +container. This rule specifically targets higher-risk interactive commands that allow real-time interaction with a +container's shell. A malicious actor could use this level of access to further compromise the container environment or +attempt a container breakout. """ false_positives = [ """ @@ -37,7 +36,13 @@ references = [ risk_score = 73 rule_id = "420e5bb4-93bf-40a3-8f4a-4cc1af90eca1" severity = "high" -tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", +] timestamp_override = "event.ingested" type = "eql" @@ -57,23 +62,24 @@ process.interactive == true [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" - [rule.threat.tactic] - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - name = "Execution" - [[rule.threat.technique]] - id = "T1059" - reference = "https://attack.mitre.org/techniques/T1059/" - name = "Command and Scripting Interpreter" +[[rule.threat.technique]] +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique.subtechnique]] - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" - name = "Unix Shell" - - [[rule.threat.technique]] - id = "T1609" - name = "Container Administration Command" - reference = "https://attack.mitre.org/techniques/T1609/" diff --git a/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml b/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml index 12ba616f3..55c5ccec6 100644 --- a/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml @@ -2,16 +2,19 @@ creation_date = "2023/04/26" integration = ["cloud_defend"] maturity = "production" -min_stack_comments = "New Integration: Cloud Defend" -min_stack_version = "8.8.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = "This rule detects when an interactive shell is spawned inside a running container. This could indicate a potential container breakout attempt or an attacker's attempt to gain unauthorized access to the underlying host." -false_positives = [""" - Legitimate users and processes, such as system administration tools, may utilize shell utilities inside a container resulting in false positives. - """ +description = """ +This rule detects when an interactive shell is spawned inside a running container. This could indicate a potential +container breakout attempt or an attacker's attempt to gain unauthorized access to the underlying host. +""" +false_positives = [ + """ + Legitimate users and processes, such as system administration tools, may utilize shell utilities inside a container + resulting in false positives. + """, ] from = "now-6m" index = ["logs-cloud_defend*"] @@ -19,14 +22,20 @@ interval = "5m" language = "eql" license = "Elastic License v2" name = "Suspicious Interactive Shell Spawned From Inside A Container" -tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] risk_score = 73 rule_id = "8d3d0794-c776-476b-8674-ee2e685f6470" severity = "high" +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", +] timestamp_override = "event.ingested" type = "eql" -query = """ +query = ''' process where container.id: "*" and event.type== "start" and @@ -37,22 +46,24 @@ event.action in ("fork", "exec") and event.action != "end" (process.executable: "*/*sh" and process.args: ("-i", "-it")) or process.args: "*/*sh" ) -""" +''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" - [rule.threat.tactic] - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - name = "Execution" - [[rule.threat.technique]] - id = "T1059" - reference = "https://attack.mitre.org/techniques/T1059/" - name = "Command and Scripting Interpreter" - [[rule.threat.technique.subtechnique]] - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" - name = "Unix Shell" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml b/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml index 3557818cd..c739bdcdc 100644 --- a/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml @@ -2,16 +2,23 @@ creation_date = "2023/04/26" integration = ["cloud_defend"] maturity = "production" -min_stack_comments = "New Integration: Cloud Defend" -min_stack_version = "8.8.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = "This rule detects an established netcat listener running inside a container. Netcat is a utility used for reading and writing data across network connections, and it can be used for malicious purposes such as establishing a backdoor for persistence or exfiltrating data." -false_positives = [""" - There is a potential for false positives if the container is used for legitimate tasks that require the use of netcat, such as network troubleshooting, testing or system monitoring. It is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity. - """] +description = """ +This rule detects an established netcat listener running inside a container. Netcat is a utility used for reading and +writing data across network connections, and it can be used for malicious purposes such as establishing a backdoor for +persistence or exfiltrating data. +""" +false_positives = [ + """ + There is a potential for false positives if the container is used for legitimate tasks that require the use of + netcat, such as network troubleshooting, testing or system monitoring. It is important to investigate any alerts + generated by this rule to determine if they are indicative of malicious activity or part of legitimate container + activity. + """, +] from = "now-6m" index = ["logs-cloud_defend*"] interval = "5m" @@ -21,11 +28,17 @@ name = "Netcat Listener Established Inside A Container" risk_score = 73 rule_id = "a52a9439-d52c-401c-be37-2785235c6547" severity = "high" -tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", +] timestamp_override = "event.ingested" type = "eql" -query = """ +query = ''' process where container.id: "*" and event.type== "start" and event.action in ("fork", "exec") and ( @@ -38,22 +51,24 @@ process.args: ("nc","ncat","netcat","netcat.openbsd","netcat.traditional") /* bind shell to specific port */ or process.args:("-*l*", "--listen", "-*p*", "--source-port") ) -""" +''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" - [rule.threat.tactic] - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - name = "Execution" - [[rule.threat.technique]] - id = "T1059" - reference = "https://attack.mitre.org/techniques/T1059/" - name = "Command and Scripting Interpreter" - [[rule.threat.technique.subtechnique]] - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" - name = "Unix Shell" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml b/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml index 09e02b6b1..d4cdae3dc 100644 --- a/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml +++ b/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml @@ -2,21 +2,20 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -min_stack_comments = "New Integration: Cloud Defend" -min_stack_version = "8.8.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule detects an incoming SSH connection established inside a running container. Running an ssh daemon inside -a container should be avoided and monitored closely if necessary. If an attacker gains valid credentials they can use -it to gain initial access or establish persistence within a compromised environment. +This rule detects an incoming SSH connection established inside a running container. Running an ssh daemon inside a +container should be avoided and monitored closely if necessary. If an attacker gains valid credentials they can use it +to gain initial access or establish persistence within a compromised environment. """ -false_positives = [""" - SSH usage may be legitimate depending on the environment. - Access patterns and follow-on activity should be analyzed to distinguish between authorized and potentially malicious behavior. - """ +false_positives = [ + """ + SSH usage may be legitimate depending on the environment. Access patterns and follow-on activity should be analyzed + to distinguish between authorized and potentially malicious behavior. + """, ] from = "now-6m" index = ["logs-cloud_defend*"] @@ -24,13 +23,20 @@ interval = "5m" language = "eql" license = "Elastic License v2" name = "SSH Connection Established Inside A Running Container" -references = [ +references = [ "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container/", ] risk_score = 73 rule_id = "f5488ac1-099e-4008-a6cb-fb638a0f0828" severity = "high" -tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement"] +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Lateral Movement", +] timestamp_override = "event.ingested" type = "eql" @@ -55,12 +61,11 @@ id = "T1133" name = "External Remote Services" reference = "https://attack.mitre.org/techniques/T1133/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -72,7 +77,10 @@ id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml b/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml index 3b63f7787..5ed644ebe 100644 --- a/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml @@ -2,21 +2,21 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -min_stack_comments = "New Integration: Cloud Defend" -min_stack_version = "8.8.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule detects an SSH or SSHD process executed from inside a container. This includes both the client ssh binary and server ssh daemon process. -SSH usage inside a container should be avoided and monitored closely when necessary. With valid credentials an attacker may move laterally to -other containers or to the underlying host through container breakout. They may also use valid SSH credentials as a persistence mechanism. +This rule detects an SSH or SSHD process executed from inside a container. This includes both the client ssh binary and +server ssh daemon process. SSH usage inside a container should be avoided and monitored closely when necessary. With +valid credentials an attacker may move laterally to other containers or to the underlying host through container +breakout. They may also use valid SSH credentials as a persistence mechanism. """ -false_positives = [""" - SSH usage may be legitimate depending on the environment. - Access patterns and follow-on activity should be analyzed to distinguish between authorized and potentially malicious behavior. - """ +false_positives = [ + """ + SSH usage may be legitimate depending on the environment. Access patterns and follow-on activity should be analyzed + to distinguish between authorized and potentially malicious behavior. + """, ] from = "now-6m" index = ["logs-cloud_defend*"] @@ -24,14 +24,21 @@ interval = "5m" language = "eql" license = "Elastic License v2" name = "SSH Process Launched From Inside A Container" -references = [ +references = [ "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container/", "https://www.blackhillsinfosec.com/sshazam-hide-your-c2-inside-of-ssh/", ] risk_score = 73 rule_id = "03a514d9-500e-443e-b6a9-72718c548f6c" severity = "high" -tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence"] +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "eql" @@ -53,11 +60,12 @@ id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -65,6 +73,7 @@ id = "T1133" name = "External Remote Services" reference = "https://attack.mitre.org/techniques/T1133/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml b/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml index 9e40863fb..30220e18f 100644 --- a/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml +++ b/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml @@ -2,17 +2,15 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -min_stack_comments = "New Integration: Cloud Defend" -min_stack_version = "8.8.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule detects the creation or modification of an authorized_keys or sshd_config file inside a container. -The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. -Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s). -Unexpected and unauthorized SSH usage inside a container can be an indicator of compromise and should be investigated. +This rule detects the creation or modification of an authorized_keys or sshd_config file inside a container. The Secure +Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. +Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s). Unexpected and +unauthorized SSH usage inside a container can be an indicator of compromise and should be investigated. """ from = "now-6m" index = ["logs-cloud_defend*"] @@ -23,7 +21,14 @@ name = "SSH Authorized Keys File Modified Inside a Container" risk_score = 73 rule_id = "f7769104-e8f9-4931-94a2-68fc04eadec3" severity = "high" -tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Lateral Movement"] +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Lateral Movement", +] timestamp_override = "event.ingested" type = "eql" @@ -44,24 +49,14 @@ id = "T1098.004" name = "SSH Authorized Keys" reference = "https://attack.mitre.org/techniques/T1098/004/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - - - [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1563" -name = "Remote Service Session Hijacking" -reference = "https://attack.mitre.org/techniques/T1563/" -[[rule.threat.technique.subtechnique]] -id = "T1563.001" -name = "SSH Hijacking" -reference = "https://attack.mitre.org/techniques/T1563/001/" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" @@ -71,7 +66,20 @@ id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" + +[[rule.threat.technique]] +id = "T1563" +name = "Remote Service Session Hijacking" +reference = "https://attack.mitre.org/techniques/T1563/" +[[rule.threat.technique.subtechnique]] +id = "T1563.001" +name = "SSH Hijacking" +reference = "https://attack.mitre.org/techniques/T1563/001/" + + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml index 7d3c3b6c2..e02c4778a 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml +++ b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/26" integration = ["cloud_defend"] maturity = "production" -min_stack_comments = "New Integration: Cloud Defend" -min_stack_version = "8.8.0" -updated_date = "2023/12/18" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml index 5b9bb8a9d..8c44e8b3c 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml +++ b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/26" integration = ["cloud_defend"] maturity = "production" -min_stack_comments = "New Integration: Cloud Defend" -min_stack_version = "8.8.0" -updated_date = "2023/12/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml index 59d455b44..014a64956 100644 --- a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml +++ b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml @@ -2,10 +2,8 @@ creation_date = "2021/06/23" integration = ["cyberarkpas"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -35,7 +33,12 @@ risk_score = 73 rule_id = "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54" rule_name_override = "event.action" severity = "high" -tags = ["Data Source: CyberArk PAS", "Use Case: Log Auditing", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] +tags = [ + "Data Source: CyberArk PAS", + "Use Case: Log Auditing", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml index 9c63474aa..4fd99826f 100644 --- a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml +++ b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml @@ -2,10 +2,8 @@ creation_date = "2021/06/23" integration = ["cyberarkpas"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -35,7 +33,12 @@ risk_score = 73 rule_id = "c5f81243-56e0-47f9-b5bb-55a5ed89ba57" rule_name_override = "event.action" severity = "high" -tags = ["Data Source: CyberArk PAS", "Use Case: Log Auditing", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] +tags = [ + "Data Source: CyberArk PAS", + "Use Case: Log Auditing", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml index 0291e6813..55bf68afc 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "New rule" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -19,6 +17,13 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "ded_high_sent_bytes_destination_geo_country_iso_code" name = "Potential Data Exfiltration Activity to an Unusual ISO Code" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded", + "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", +] +risk_score = 21 +rule_id = "e1db8899-97c1-4851-8993-3a3265353601" setup = """## Setup The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). @@ -45,13 +50,6 @@ Before you can enable rules for Data Exfiltration Detection, you'll need to enab - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/ded", - "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", -] -risk_score = 21 -rule_id = "e1db8899-97c1-4851-8993-3a3265353601" severity = "low" tags = [ "Use Case: Data Exfiltration Detection", diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml index 71f7de4c7..88a012b6e 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "New rule" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -19,6 +17,13 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "ded_high_sent_bytes_destination_ip" name = "Potential Data Exfiltration Activity to an Unusual IP Address" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded", + "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", +] +risk_score = 21 +rule_id = "cc653d77-ddd2-45b1-9197-c75ad19df66c" setup = """## Setup The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). @@ -45,13 +50,6 @@ Before you can enable rules for Data Exfiltration Detection, you'll need to enab - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/ded", - "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", -] -risk_score = 21 -rule_id = "cc653d77-ddd2-45b1-9197-c75ad19df66c" severity = "low" tags = [ "Use Case: Data Exfiltration Detection", diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml index 7d5b38f04..20d6850ca 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "New rule" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -18,6 +16,13 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "ded_high_sent_bytes_destination_port" name = "Potential Data Exfiltration Activity to an Unusual Destination Port" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded", + "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", +] +risk_score = 21 +rule_id = "ef8cc01c-fc49-4954-a175-98569c646740" setup = """## Setup The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). @@ -44,13 +49,6 @@ Before you can enable rules for Data Exfiltration Detection, you'll need to enab - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/ded", - "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", -] -risk_score = 21 -rule_id = "ef8cc01c-fc49-4954-a175-98569c646740" severity = "low" tags = [ "Use Case: Data Exfiltration Detection", diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml index 697084409..1a3e7ef85 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "New rule" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -19,6 +17,13 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "ded_high_sent_bytes_destination_region_name" name = "Potential Data Exfiltration Activity to an Unusual Region" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded", + "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", +] +risk_score = 21 +rule_id = "bfba5158-1fd6-4937-a205-77d96213b341" setup = """## Setup The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). @@ -45,13 +50,6 @@ Before you can enable rules for Data Exfiltration Detection, you'll need to enab - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/ded", - "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", -] -risk_score = 21 -rule_id = "bfba5158-1fd6-4937-a205-77d96213b341" severity = "low" tags = [ "Use Case: Data Exfiltration Detection", diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml index a560d7cd2..b62f5b169 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint"] maturity = "production" -min_stack_comments = "New rule" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -19,6 +17,13 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "ded_high_bytes_written_to_external_device" name = "Spike in Bytes Sent to an External Device" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded", + "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", +] +risk_score = 21 +rule_id = "35a3b253-eea8-46f0-abd3-68bdd47e6e3d" setup = """## Setup The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). @@ -44,13 +49,6 @@ Before you can enable rules for Data Exfiltration Detection, you'll need to enab - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/ded", - "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", -] -risk_score = 21 -rule_id = "35a3b253-eea8-46f0-abd3-68bdd47e6e3d" severity = "low" tags = [ "Use Case: Data Exfiltration Detection", diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml index 7a30d8d9b..d484668f8 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint"] maturity = "production" -min_stack_comments = "New rule" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -20,6 +18,13 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "ded_high_bytes_written_to_external_device_airdrop" name = "Spike in Bytes Sent to an External Device via Airdrop" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded", + "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", +] +risk_score = 21 +rule_id = "e92c99b6-c547-4bb6-b244-2f27394bc849" setup = """## Setup The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). @@ -45,13 +50,6 @@ Before you can enable rules for Data Exfiltration Detection, you'll need to enab - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/ded", - "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", -] -risk_score = 21 -rule_id = "e92c99b6-c547-4bb6-b244-2f27394bc849" severity = "low" tags = [ "Use Case: Data Exfiltration Detection", diff --git a/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml b/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml index cdc7a88d3..fc98cc66a 100644 --- a/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml +++ b/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint"] maturity = "production" -min_stack_comments = "New rule" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -19,6 +17,13 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "ded_rare_process_writing_to_external_device" name = "Unusual Process Writing Data to an External Device" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded", + "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", +] +risk_score = 21 +rule_id = "4b95ecea-7225-4690-9938-2a2c0bad9c99" setup = """## Setup The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). @@ -44,13 +49,6 @@ Before you can enable rules for Data Exfiltration Detection, you'll need to enab - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/ded", - "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", -] -risk_score = 21 -rule_id = "4b95ecea-7225-4690-9938-2a2c0bad9c99" severity = "low" tags = [ "Use Case: Data Exfiltration Detection", diff --git a/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml b/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml index d6550b0d4..47b2a9d99 100644 --- a/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml +++ b/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/14" integration = ["dga", "endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "DGA package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -17,6 +15,13 @@ index = ["logs-endpoint.events.*", "logs-network_traffic.*"] language = "kuery" license = "Elastic License v2" name = "Machine Learning Detected DGA activity using a known SUNBURST DNS domain" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/dga", + "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration", +] +risk_score = 99 +rule_id = "bcaa15ce-2d41-44d7-a322-918f9db77766" setup = """## Setup The rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. @@ -63,13 +68,6 @@ Before you can enable this rule, you'll need to enrich DNS events with predictio } ``` """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/dga", - "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration", -] -risk_score = 99 -rule_id = "bcaa15ce-2d41-44d7-a322-918f9db77766" severity = "critical" tags = [ "Domain: Network", diff --git a/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml b/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml index 76e884d76..0830449ff 100644 --- a/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml +++ b/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/14" integration = ["dga", "endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "DGA package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 70 @@ -19,6 +17,13 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "dga_high_sum_probability" name = "Potential DGA Activity" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/dga", + "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration", +] +risk_score = 21 +rule_id = "ff0d807d-869b-4a0d-a493-52bc46d2f1b1" setup = """## Setup The rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. @@ -72,13 +77,6 @@ Before you can enable this rule, you'll need to enable the corresponding Anomaly - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/dga/kibana/ml_module/dga-ml.json) configuration file, you will see a card for DGA under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/dga", - "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration", -] -risk_score = 21 -rule_id = "ff0d807d-869b-4a0d-a493-52bc46d2f1b1" severity = "low" tags = [ "Use Case: Domain Generation Algorithm Detection", diff --git a/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml b/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml index 88007164d..dca1fb0b3 100644 --- a/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml +++ b/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/14" integration = ["dga", "endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "DGA package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -17,6 +15,13 @@ index = ["logs-endpoint.events.*", "logs-network_traffic.*"] language = "kuery" license = "Elastic License v2" name = "Machine Learning Detected a DNS Request With a High DGA Probability Score" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/dga", + "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration", +] +risk_score = 21 +rule_id = "da7f5803-1cd4-42fd-a890-0173ae80ac69" setup = """## Setup The rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. @@ -63,13 +68,6 @@ Before you can enable this rule, you'll need to enrich DNS events with predictio } ``` """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/dga", - "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration", -] -risk_score = 21 -rule_id = "da7f5803-1cd4-42fd-a890-0173ae80ac69" severity = "low" tags = [ "Domain: Network", diff --git a/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml b/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml index 79e0bc018..ef50f1011 100644 --- a/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml +++ b/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/14" integration = ["dga", "endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "DGA package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -17,6 +15,13 @@ index = ["logs-endpoint.events.*", "logs-network_traffic.*"] language = "kuery" license = "Elastic License v2" name = "Machine Learning Detected a DNS Request Predicted to be a DGA Domain" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/dga", + "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration", +] +risk_score = 21 +rule_id = "f3403393-1fd9-4686-8f6e-596c58bc00b4" setup = """## Setup The rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. @@ -63,13 +68,6 @@ Before you can enable this rule, you'll need to enrich DNS events with predictio } ``` """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/dga", - "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration", -] -risk_score = 21 -rule_id = "f3403393-1fd9-4686-8f6e-596c58bc00b4" severity = "low" tags = [ "Domain: Network", diff --git a/rules/integrations/endpoint/elastic_endpoint_security.toml b/rules/integrations/endpoint/elastic_endpoint_security.toml index ddc45fe68..7353bf7fc 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security.toml @@ -2,10 +2,8 @@ creation_date = "2020/07/08" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/13" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml index afc316a77..3d33d2ee9 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/23" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -31,7 +29,13 @@ references = ["https://cloud.google.com/pubsub/docs/overview"] risk_score = 21 rule_id = "d62b64a8-a7c9-43e5-aee3-15a725a794e7" severity = "low" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Collection"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Log Auditing", + "Tactic: Collection", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml index de979e300..701fd52c7 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/23" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -31,7 +29,13 @@ references = ["https://cloud.google.com/pubsub/docs/admin"] risk_score = 21 rule_id = "a10d3d9d-0f65-48f1-8b25-af175e2594f5" severity = "low" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Collection"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Log Auditing", + "Tactic: Collection", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml index f19f55da1..bf65a769b 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -34,7 +32,13 @@ references = [ risk_score = 21 rule_id = "30562697-9859-4ae0-a8c5-dab45d664170" severity = "low" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml index 68d787f49..2bd5d9305 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -33,7 +31,13 @@ references = [ risk_score = 47 rule_id = "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1" severity = "medium" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml index 3f219874a..ae5126fc5 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -34,7 +32,13 @@ references = [ risk_score = 47 rule_id = "2783d84f-5091-4d7d-9319-9fceda8fa71b" severity = "medium" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml index 5e66bedff..a9e9ba235 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -33,7 +31,13 @@ references = ["https://cloud.google.com/logging/docs/buckets", "https://cloud.go risk_score = 47 rule_id = "5663b693-0dea-4f2e-8275-f1ae5ff2de8e" severity = "medium" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Log Auditing", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml index cb5235891..3b91941b1 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/18" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -31,7 +29,13 @@ references = ["https://cloud.google.com/logging/docs/export"] risk_score = 47 rule_id = "51859fa0-d86b-4214-bf48-ebb30ed91305" severity = "medium" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Log Auditing", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml index 03c2b9b4a..d81d4f1c7 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/23" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -31,7 +29,13 @@ references = ["https://cloud.google.com/pubsub/docs/overview"] risk_score = 21 rule_id = "cc89312d-6f47-48e4-a87c-4977bd4633c3" severity = "low" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Log Auditing", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml index df8980906..b0c2ba3b6 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/18" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -31,7 +29,13 @@ references = ["https://cloud.google.com/pubsub/docs/overview"] risk_score = 21 rule_id = "3202e172-01b1-4738-a932-d024c514ba72" severity = "low" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Log Auditing", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml index b1f8119e7..58c3e1614 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -29,7 +27,13 @@ references = ["https://cloud.google.com/storage/docs/key-terms#buckets"] risk_score = 47 rule_id = "97359fd8-757d-4b1d-9af1-ef29e4a8680e" severity = "medium" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Identity and Access Audit", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml index 93d434aa0..5aa2543b2 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -30,7 +28,13 @@ references = ["https://cloud.google.com/storage/docs/access-control/iam-permissi risk_score = 47 rule_id = "2326d1b2-9acf-4dee-bd21-867ea7378b4d" severity = "medium" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Identity and Access Audit", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml index 9d7467ce9..ae837651b 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -31,7 +29,13 @@ references = ["https://cloud.google.com/vpc/docs/vpc"] risk_score = 47 rule_id = "c58c3081-2e1d-4497-8491-e73a45d1a6d6" severity = "medium" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml index d8ab78834..14e579912 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -31,7 +29,13 @@ references = ["https://cloud.google.com/vpc/docs/routes", "https://cloud.google. risk_score = 21 rule_id = "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8" severity = "low" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml index 9084f33dc..b0b775a5f 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -31,7 +29,13 @@ references = ["https://cloud.google.com/vpc/docs/routes", "https://cloud.google. risk_score = 47 rule_id = "a17bcc91-297b-459b-b5ce-bc7460d8f82a" severity = "medium" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml index 28408b639..c1b0254c4 100644 --- a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml +++ b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -31,7 +29,13 @@ references = ["https://cloud.google.com/logging/docs/export#how_sinks_work"] risk_score = 21 rule_id = "184dfe52-2999-42d9-b9d1-d1ca54495a61" severity = "low" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Exfiltration"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Log Auditing", + "Tactic: Exfiltration", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml b/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml index 4bd608d68..c999c7eeb 100644 --- a/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml +++ b/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -31,7 +29,13 @@ references = ["https://cloud.google.com/iam/docs/understanding-roles"] risk_score = 21 rule_id = "e2fb5b18-e33c-4270-851e-c3d675c9afcd" severity = "low" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Impact"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Identity and Access Audit", + "Tactic: Impact", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/impact_gcp_service_account_deleted.toml b/rules/integrations/gcp/impact_gcp_service_account_deleted.toml index 15b278eef..7f30b45a1 100644 --- a/rules/integrations/gcp/impact_gcp_service_account_deleted.toml +++ b/rules/integrations/gcp/impact_gcp_service_account_deleted.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,7 +30,13 @@ references = ["https://cloud.google.com/iam/docs/service-accounts"] risk_score = 47 rule_id = "8fb75dda-c47a-4e34-8ecd-34facf7aad13" severity = "medium" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Impact"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Identity and Access Audit", + "Tactic: Impact", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/impact_gcp_service_account_disabled.toml b/rules/integrations/gcp/impact_gcp_service_account_disabled.toml index 5f4640b98..034f249af 100644 --- a/rules/integrations/gcp/impact_gcp_service_account_disabled.toml +++ b/rules/integrations/gcp/impact_gcp_service_account_disabled.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,7 +30,13 @@ references = ["https://cloud.google.com/iam/docs/service-accounts"] risk_score = 47 rule_id = "bca7d28e-4a48-47b1-adb7-5074310e9a61" severity = "medium" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Impact"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Identity and Access Audit", + "Tactic: Impact", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml b/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml index b4c74cf81..cfc19dbb1 100644 --- a/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml +++ b/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml index a412746fc..fbf520545 100644 --- a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml +++ b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -31,7 +29,13 @@ references = ["https://cloud.google.com/iam/docs/understanding-custom-roles"] risk_score = 47 rule_id = "aa8007f0-d1df-49ef-8520-407857594827" severity = "medium" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Initial Access"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Identity and Access Audit", + "Tactic: Initial Access", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml index 894d12936..18048b305 100644 --- a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml +++ b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -35,7 +33,13 @@ references = [ risk_score = 21 rule_id = "9890ee61-d061-403d-9bf6-64934c51f638" severity = "low" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml index 8ee735064..07b969e6a 100644 --- a/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml +++ b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -36,7 +34,13 @@ references = [ risk_score = 21 rule_id = "0e5acaae-6a64-4bbc-adb8-27649c03f7e1" severity = "low" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/persistence_gcp_service_account_created.toml b/rules/integrations/gcp/persistence_gcp_service_account_created.toml index 4207b15ff..b929f9b69 100644 --- a/rules/integrations/gcp/persistence_gcp_service_account_created.toml +++ b/rules/integrations/gcp/persistence_gcp_service_account_created.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -33,7 +31,13 @@ references = ["https://cloud.google.com/iam/docs/service-accounts"] risk_score = 21 rule_id = "7ceb2216-47dd-4e64-9433-cddc99727623" severity = "low" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml b/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml index d38ee9496..d85163a5c 100644 --- a/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml +++ b/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml @@ -2,18 +2,15 @@ creation_date = "2023/08/29" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/30" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule detects setting modifications for protected branches of a GitHub repository. Branch protection rules -can be used to enforce certain workflows or requirements before a contributor can push changes to a branch in -your repository. Changes to these protected branch settings should be investigated and verified as legitimate -activity. Unauthorized changes could be used to lower your organization's security posture and leave you exposed -for future attacks. +This rule detects setting modifications for protected branches of a GitHub repository. Branch protection rules can be +used to enforce certain workflows or requirements before a contributor can push changes to a branch in your repository. +Changes to these protected branch settings should be investigated and verified as legitimate activity. Unauthorized +changes could be used to lower your organization's security posture and leave you exposed for future attacks. """ from = "now-9m" index = ["logs-github.audit-*"] @@ -26,11 +23,13 @@ severity = "medium" tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Github"] timestamp_override = "event.ingested" type = "eql" + query = ''' configuration where event.dataset == "github.audit" - and github.category == "protected_branch" and event.type == "change" + and github.category == "protected_branch" and event.type == "change" ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/integrations/github/execution_github_app_deleted.toml b/rules/integrations/github/execution_github_app_deleted.toml index 891c18175..b49bc9b33 100644 --- a/rules/integrations/github/execution_github_app_deleted.toml +++ b/rules/integrations/github/execution_github_app_deleted.toml @@ -2,15 +2,11 @@ creation_date = "2023/10/11" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/11" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = """ -Detects the deletion of a GitHub app either from a repo or an organization. -""" +description = "Detects the deletion of a GitHub app either from a repo or an organization.\n" from = "now-9m" index = ["logs-github.audit-*"] language = "eql" @@ -19,11 +15,7 @@ name = "GitHub App Deleted" risk_score = 21 rule_id = "fd01b949-81be-46d5-bcf8-284395d5f56d" severity = "low" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Github" - ] +tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Github"] timestamp_override = "event.ingested" type = "eql" @@ -31,6 +23,7 @@ query = ''' configuration where event.dataset == "github.audit" and github.category == "integration_installation" and event.type == "deletion" ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -43,3 +36,4 @@ reference = "https://attack.mitre.org/techniques/T1648/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml b/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml index dfa81e027..85da5ced6 100644 --- a/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml +++ b/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml @@ -2,14 +2,13 @@ creation_date = "2023/10/11" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added to GitHub Integration" -min_stack_version = "8.8.0" -updated_date = "2023/12/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Detects a high number of unique private repo clone events originating from a single personal access token within a short time period. +Detects a high number of unique private repo clone events originating from a single personal access token within a short +time period. """ from = "now-6m" index = ["logs-github.audit-*"] @@ -19,12 +18,13 @@ name = "High Number of Cloned GitHub Repos From PAT" risk_score = 21 rule_id = "fb0afac5-bbd6-49b0-b4f8-44e5381e1587" severity = "low" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Execution", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "threshold" @@ -34,6 +34,7 @@ github.programmatic_access_type:("OAuth access token" or "Fine-grained personal github.repository_public:false ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -50,7 +51,8 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.threshold] field = ["github.hashed_token"] value = 1 - [[rule.threshold.cardinality]] field = "github.repo" value = 10 + + diff --git a/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml b/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml index 2908f7b3e..b055bbe42 100644 --- a/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml +++ b/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml @@ -1,17 +1,14 @@ [metadata] creation_date = "2023/12/14" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/12/18" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule is part of the "GitHub UEBA - Unusual Activity from Account Pack", and leverages alert data to -determine when multiple alerts are executed by the same user in a timespan of one hour. -Analysts can use this to prioritize triage and response, as these alerts are a higher indicator of compromised user -accounts or PATs. +This rule is part of the "GitHub UEBA - Unusual Activity from Account Pack", and leverages alert data to determine when +multiple alerts are executed by the same user in a timespan of one hour. Analysts can use this to prioritize triage and +response, as these alerts are a higher indicator of compromised user accounts or PATs. """ from = "now-60m" index = [".alerts-security.*"] @@ -21,13 +18,14 @@ name = "GitHub UEBA - Multiple Alerts from a GitHub Account" risk_score = 47 rule_id = "929223b4-fba3-4a1c-a943-ec4716ad23ec" severity = "medium" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Execution", - "Rule Type: Higher-Order Rule", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: Higher-Order Rule", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "threshold" @@ -35,6 +33,7 @@ query = ''' signal.rule.tags:("Use Case: UEBA" and "Data Source: Github") and kibana.alert.workflow_status:"open" ''' + [[rule.threat]] framework = "MITRE ATT&CK" @@ -46,7 +45,8 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.threshold] field = ["user.name"] value = 1 - [[rule.threshold.cardinality]] field = "signal.rule.name" value = 5 + + diff --git a/rules/integrations/github/execution_new_github_app_installed.toml b/rules/integrations/github/execution_new_github_app_installed.toml index 2d07e6bb6..8d63b58be 100644 --- a/rules/integrations/github/execution_new_github_app_installed.toml +++ b/rules/integrations/github/execution_new_github_app_installed.toml @@ -2,18 +2,16 @@ creation_date = "2023/08/29" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/03" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule detects when a new GitHub App has been installed in your organization account. -GitHub Apps extend GitHub's functionality both within and outside of GitHub. -When an app is installed it is granted permissions to read or modify your repository and organization data. -Only trusted apps should be installed and any newly installed apps should be investigated to verify their legitimacy. -Unauthorized app installation could lower your organization's security posture and leave you exposed for future attacks. +This rule detects when a new GitHub App has been installed in your organization account. GitHub Apps extend GitHub's +functionality both within and outside of GitHub. When an app is installed it is granted permissions to read or modify +your repository and organization data. Only trusted apps should be installed and any newly installed apps should be +investigated to verify their legitimacy. Unauthorized app installation could lower your organization's security posture +and leave you exposed for future attacks. """ from = "now-9m" index = ["logs-github.audit-*"] @@ -26,10 +24,12 @@ severity = "medium" tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Github"] timestamp_override = "event.ingested" type = "eql" + query = ''' configuration where event.dataset == "github.audit" and event.action == "integration_installation.create" ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -38,7 +38,6 @@ name = "Software Deployment Tools" reference = "https://attack.mitre.org/techniques/T1072/" - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/integrations/github/impact_github_repository_deleted.toml b/rules/integrations/github/impact_github_repository_deleted.toml index 9eebd68ae..c75c9c689 100644 --- a/rules/integrations/github/impact_github_repository_deleted.toml +++ b/rules/integrations/github/impact_github_repository_deleted.toml @@ -2,19 +2,15 @@ creation_date = "2023/08/29" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/12/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule detects when a GitHub repository is deleted within your organization. -Repositories are a critical component used within an organization to manage work, -collaborate with others and release products to the public. Any delete action against -a repository should be investigated to determine it's validity. Unauthorized deletion -of organization repositories could cause irreversible loss of intellectual property and -indicate compromise within your organization. +This rule detects when a GitHub repository is deleted within your organization. Repositories are a critical component +used within an organization to manage work, collaborate with others and release products to the public. Any delete +action against a repository should be investigated to determine it's validity. Unauthorized deletion of organization +repositories could cause irreversible loss of intellectual property and indicate compromise within your organization. """ from = "now-9m" index = ["logs-github.audit-*"] @@ -24,18 +20,21 @@ name = "GitHub Repository Deleted" risk_score = 47 rule_id = "345889c4-23a8-4bc0-b7ca-756bd17ce83b" severity = "medium" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Impact", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Impact", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "eql" + query = ''' configuration where event.module == "github" and event.action == "repo.destroy" ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -44,8 +43,8 @@ name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/integrations/github/persistence_github_org_owner_added.toml b/rules/integrations/github/persistence_github_org_owner_added.toml index 7fd963c9f..df89d4bd0 100644 --- a/rules/integrations/github/persistence_github_org_owner_added.toml +++ b/rules/integrations/github/persistence_github_org_owner_added.toml @@ -2,16 +2,14 @@ creation_date = "2023/09/11" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/12/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Detects when a new member is added to a GitHub organization as an owner. -This role provides admin level privileges. Any new owner roles should be investigated to determine it's validity. -Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings. +Detects when a new member is added to a GitHub organization as an owner. This role provides admin level privileges. Any +new owner roles should be investigated to determine it's validity. Unauthorized owner roles could indicate compromise +within your organization and provide unlimited access to data and settings. """ from = "now-9m" index = ["logs-github.audit-*"] @@ -21,18 +19,21 @@ name = "New GitHub Owner Added" risk_score = 47 rule_id = "24401eca-ad0b-4ff9-9431-487a8e183af9" severity = "medium" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Persistence", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Persistence", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "eql" + query = ''' iam where event.dataset == "github.audit" and event.action == "org.add_member" and github.permission == "admin" ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -45,6 +46,7 @@ name = "Cloud Account" reference = "https://attack.mitre.org/techniques/T1136/003/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/integrations/github/persistence_organization_owner_role_granted.toml b/rules/integrations/github/persistence_organization_owner_role_granted.toml index 08adb6849..7c31e5261 100644 --- a/rules/integrations/github/persistence_organization_owner_role_granted.toml +++ b/rules/integrations/github/persistence_organization_owner_role_granted.toml @@ -2,16 +2,14 @@ creation_date = "2023/09/11" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/12/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule detects when a member is granted the organization owner role of a GitHub organization. -This role provides admin level privileges. Any new owner role should be investigated to determine its validity. -Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings. +This rule detects when a member is granted the organization owner role of a GitHub organization. This role provides +admin level privileges. Any new owner role should be investigated to determine its validity. Unauthorized owner roles +could indicate compromise within your organization and provide unlimited access to data and settings. """ from = "now-9m" index = ["logs-github.audit-*"] @@ -21,18 +19,21 @@ name = "GitHub Owner Role Granted To User" risk_score = 47 rule_id = "9b343b62-d173-4cfd-bd8b-e6379f964ca4" severity = "medium" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Persistence", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Persistence", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "eql" + query = ''' iam where event.dataset == "github.audit" and event.action == "org.update_member" and github.permission == "admin" ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -45,6 +46,7 @@ name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml b/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml index 87875196e..3b0bb139b 100644 --- a/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml +++ b/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/24" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -82,7 +80,12 @@ references = ["https://support.google.com/a/answer/1247799?hl=en"] risk_score = 47 rule_id = "07b5f85a-240f-11ed-b3d9-f661ea17fbce" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Google Workspace", "Tactic: Collection", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Tactic: Collection", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml b/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml index 0cfba8bdd..2f9485b97 100644 --- a/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml +++ b/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml @@ -2,9 +2,7 @@ creation_date = "2022/09/13" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -82,7 +80,12 @@ references = ["https://support.google.com/a/answer/2685650?hl=en"] risk_score = 47 rule_id = "9510add4-3392-11ed-bd01-f661ea17fbce" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Google Workspace", "Tactic: Collection", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Tactic: Collection", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml b/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml index 32f0a1a92..32ca30997 100644 --- a/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml +++ b/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml @@ -2,9 +2,7 @@ creation_date = "2023/03/21" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml b/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml index 98380cea7..422ba0189 100644 --- a/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml +++ b/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/25" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -90,7 +88,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Configuration Audit", "Resources: Investigation Guide", - "Tactic: Defense Evasion" + "Tactic: Defense Evasion", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml b/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml index f97647f94..1b92225d2 100644 --- a/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml +++ b/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -85,7 +83,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Defense Evasion", - "Resources: Investigation Guide" + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml b/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml index 073d40ed6..e16f5f512 100644 --- a/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml +++ b/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml @@ -2,9 +2,7 @@ creation_date = "2022/09/06" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -85,7 +83,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Defense Evasion", - "Resources: Investigation Guide" + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml b/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml index 703af0aef..600ad3278 100644 --- a/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml +++ b/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml @@ -2,18 +2,19 @@ creation_date = "2023/03/30" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Detects the first time a third-party application logs in and authenticated with OAuth. OAuth is used to grant permissions to specific resources and services in Google Workspace. Compromised credentials or service accounts could allow an adversary to authenticate to Google Workspace as a valid user and inherit their privileges. +Detects the first time a third-party application logs in and authenticated with OAuth. OAuth is used to grant +permissions to specific resources and services in Google Workspace. Compromised credentials or service accounts could +allow an adversary to authenticate to Google Workspace as a valid user and inherit their privileges. """ false_positives = [ """ - Developers may leverage third-party applications for legitimate purposes in Google Workspace such as for administrative tasks. + Developers may leverage third-party applications for legitimate purposes in Google Workspace such as for + administrative tasks. """, ] from = "now-130m" @@ -67,7 +68,6 @@ reference = "https://attack.mitre.org/techniques/T1550/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -89,7 +89,8 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["google_workspace.token.client.id"] - [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-15d" \ No newline at end of file +value = "now-15d" + + diff --git a/rules/integrations/google_workspace/defense_evasion_google_workspace_restrictions_for_google_marketplace_changed_to_allow_any_app.toml b/rules/integrations/google_workspace/defense_evasion_google_workspace_restrictions_for_google_marketplace_changed_to_allow_any_app.toml index 5e34dce62..771d2750a 100644 --- a/rules/integrations/google_workspace/defense_evasion_google_workspace_restrictions_for_google_marketplace_changed_to_allow_any_app.toml +++ b/rules/integrations/google_workspace/defense_evasion_google_workspace_restrictions_for_google_marketplace_changed_to_allow_any_app.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/25" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -94,7 +92,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Defense Evasion", - "Resources: Investigation Guide" + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml b/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml index d369794ed..65f289b26 100644 --- a/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml +++ b/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml @@ -2,10 +2,8 @@ creation_date = "2023/01/15" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Google Workspace feature only present in 8.4+ stack versions" -min_stack_version = "8.4.0" -updated_date = "2023/06/22" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -38,7 +36,12 @@ risk_score = 73 rule_id = "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc" rule_name_override = "google_workspace.alert.type" severity = "high" -tags = ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Log Auditing", "Use Case: Threat Detection"] +tags = [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Log Auditing", + "Use Case: Threat Detection", +] timestamp_override = "event.ingested" type = "query" @@ -46,21 +49,23 @@ query = ''' event.dataset: google_workspace.alert ''' + [[rule.severity_mapping]] field = "google_workspace.alert.metadata.severity" -value = "LOW" operator = "equals" severity = "low" +value = "LOW" [[rule.severity_mapping]] field = "google_workspace.alert.metadata.severity" -value = "MEDIUM" operator = "equals" severity = "medium" +value = "MEDIUM" [[rule.severity_mapping]] field = "google_workspace.alert.metadata.severity" -value = "HIGH" operator = "equals" severity = "high" +value = "HIGH" + diff --git a/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml b/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml index 14aedf960..747f1ff2f 100644 --- a/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml +++ b/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -85,7 +83,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Impact", - "Resources: Investigation Guide" + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml index 482baaafd..9999e04f1 100644 --- a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml +++ b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml b/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml index 74015523b..c023a887b 100644 --- a/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml +++ b/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml @@ -2,9 +2,7 @@ creation_date = "2023/02/16" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/initial_access_google_workspace_object_copied_from_external_drive_and_access_granted_to_custom_application.toml b/rules/integrations/google_workspace/initial_access_google_workspace_object_copied_from_external_drive_and_access_granted_to_custom_application.toml index 3d9429701..73a01ef94 100644 --- a/rules/integrations/google_workspace/initial_access_google_workspace_object_copied_from_external_drive_and_access_granted_to_custom_application.toml +++ b/rules/integrations/google_workspace/initial_access_google_workspace_object_copied_from_external_drive_and_access_granted_to_custom_application.toml @@ -2,9 +2,7 @@ creation_date = "2023/03/07" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -91,7 +89,12 @@ references = [ risk_score = 47 rule_id = "f33e68a4-bd19-11ed-b02f-f661ea17fbcc" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Google Workspace", "Tactic: Initial Access", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Tactic: Initial Access", + "Resources: Investigation Guide", +] type = "eql" query = ''' diff --git a/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml b/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml index 76b673f2d..379476c08 100644 --- a/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml +++ b/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -42,7 +40,12 @@ references = ["https://support.google.com/a/answer/1110339"] risk_score = 21 rule_id = "00678712-b2df-11ed-afe9-f661ea17fbcc" severity = "low" -tags = ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Initial Access"] +tags = [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Identity and Access Audit", + "Tactic: Initial Access", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml b/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml index d59bb7ceb..d7eb4ce55 100644 --- a/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml +++ b/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -89,7 +87,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Persistence", - "Resources: Investigation Guide" + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml b/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml index 9a5cac6ae..0d47da77d 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/26" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -89,7 +87,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Persistence", - "Resources: Investigation Guide" + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml index a99d25729..78b80ba64 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -92,7 +90,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Persistence", - "Resources: Investigation Guide" + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml b/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml index 570539eeb..eb8bc2a62 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/12" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -83,7 +81,13 @@ references = ["https://developers.google.com/admin-sdk/directory/v1/guides/deleg risk_score = 47 rule_id = "acbc8bb9-2486-49a8-8779-45fb5f9a93ee" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml index 770238e7a..1a5b51af5 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -85,7 +83,13 @@ references = ["https://support.google.com/a/answer/2406043?hl=en"] risk_score = 47 rule_id = "ad3f2807-2b3e-47d7-b282-f84acbbe14be" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml index 21f071d54..6181ee74c 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.4.0" -updated_date = "2023/04/12" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -87,7 +85,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Persistence", - "Resources: Investigation Guide" + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml index 672b61c78..fae520fa6 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -87,7 +85,13 @@ references = ["https://support.google.com/a/answer/2406043?hl=en"] risk_score = 47 rule_id = "6f435062-b7fc-4af9-acea-5b1ead65c5a5" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml b/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml index fc0fc2576..bec056960 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml @@ -2,9 +2,7 @@ creation_date = "2022/09/06" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -91,7 +89,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Persistence", - "Resources: Investigation Guide" + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml index 5a0fc0bd2..098cfa615 100644 --- a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml +++ b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -85,7 +83,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Persistence", - "Resources: Investigation Guide" + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/kubernetes/discovery_denied_service_account_request.toml b/rules/integrations/kubernetes/discovery_denied_service_account_request.toml index b04db4c49..50e54311e 100644 --- a/rules/integrations/kubernetes/discovery_denied_service_account_request.toml +++ b/rules/integrations/kubernetes/discovery_denied_service_account_request.toml @@ -2,9 +2,7 @@ creation_date = "2022/09/13" integration = ["kubernetes"] maturity = "production" -min_stack_comments = "New fields added to Kubernetes Integration" -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml index 2c1f88b33..d0589a903 100644 --- a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml +++ b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml @@ -2,9 +2,7 @@ creation_date = "2022/06/30" integration = ["kubernetes"] maturity = "production" -min_stack_comments = "New fields added to Kubernetes Integration" -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml index 083439142..1c134a8e0 100644 --- a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml +++ b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml @@ -2,9 +2,7 @@ creation_date = "2022/05/17" integration = ["kubernetes"] maturity = "production" -min_stack_comments = "New fields added to Kubernetes Integration" -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml index 6da38310c..2fd9df0a9 100644 --- a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml +++ b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml @@ -2,10 +2,7 @@ creation_date = "2022/09/13" integration = ["kubernetes"] maturity = "production" -min_stack_comments = "New fields added to Kubernetes Integration" -min_stack_version = "8.4.0" -updated_date = "2023/06/23" - +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml index 2d6496307..84e57ae7e 100644 --- a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml +++ b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml @@ -2,9 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -min_stack_comments = "New fields added to Kubernetes Integration" -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml b/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml index 6389cbb8e..ab1756c91 100644 --- a/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml +++ b/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml @@ -2,9 +2,7 @@ creation_date = "2022/09/20" integration = ["kubernetes"] maturity = "production" -min_stack_comments = "New fields added to Kubernetes Integration" -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml index 6b261fa4c..6b67122e5 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml @@ -2,9 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -min_stack_comments = "New fields added to Kubernetes Integration" -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml index 770e16e07..e1e7005a6 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml @@ -2,9 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -min_stack_comments = "New fields added to Kubernetes Integration" -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml index d40d9a87a..49a1dec62 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml @@ -2,9 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -min_stack_comments = "New fields added to Kubernetes Integration" -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml index b91cc2315..20c8c1865 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml @@ -2,9 +2,7 @@ creation_date = "2022/07/11" integration = ["kubernetes"] maturity = "production" -min_stack_comments = "New fields added to Kubernetes Integration" -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml index 39639d75a..f1f93659d 100644 --- a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml +++ b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml @@ -2,9 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -min_stack_comments = "New fields added to Kubernetes Integration" -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml b/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml index 97e333ac0..051c4b214 100644 --- a/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml +++ b/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml @@ -2,9 +2,7 @@ creation_date = "2022/09/13" integration = ["kubernetes"] maturity = "production" -min_stack_comments = "New fields added to Kubernetes Integration" -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml index 57b927c85..fdac1aa8b 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -min_stack_comments = "LMD package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 70 @@ -19,6 +17,14 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_mean_rdp_process_args" name = "High Mean of Process Arguments in an RDP Session" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "36c48a0c-c63a-4cbc-aee1-8cac87db31a9" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -45,14 +51,6 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "36c48a0c-c63a-4cbc-aee1-8cac87db31a9" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml index c88ed4a04..619c08ec2 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -min_stack_comments = "LMD package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 70 @@ -19,6 +17,14 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_mean_rdp_session_duration" name = "High Mean of RDP Session Duration" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "a74c60cb-70ee-4629-a127-608ead14ebf1" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -45,14 +51,6 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "a74c60cb-70ee-4629-a127-608ead14ebf1" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml b/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml index cec48ce96..f2930aca5 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -min_stack_comments = "LMD package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 70 @@ -20,6 +18,14 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_file_size_remote_file_transfer" name = "Unusual Remote File Size" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "0678bc9c-b71a-433b-87e6-2f664b6b3131" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -45,14 +51,6 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "0678bc9c-b71a-433b-87e6-2f664b6b3131" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml b/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml index 83e027be2..f2072d40f 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -min_stack_comments = "LMD package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 70 @@ -19,6 +17,14 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_var_rdp_session_duration" name = "High Variance in RDP Session Duration" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "a8d35ca0-ad8d-48a9-9f6c-553622dca61a" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -45,14 +51,6 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "a8d35ca0-ad8d-48a9-9f6c-553622dca61a" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml index 8528ef1ce..283fd1785 100644 --- a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml +++ b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -min_stack_comments = "LMD package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 70 @@ -19,6 +17,14 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_rare_file_path_remote_transfer" name = "Unusual Remote File Directory" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "be4c5aed-90f5-4221-8bd5-7ab3a4334751" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -44,14 +50,6 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "be4c5aed-90f5-4221-8bd5-7ab3a4334751" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml index 1e67d54e0..fad3bd17f 100644 --- a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml +++ b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -min_stack_comments = "LMD package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 70 @@ -18,6 +16,14 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_rare_file_extension_remote_transfer" name = "Unusual Remote File Extension" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "814d96c7-2068-42aa-ba8e-fe0ddd565e2e" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -43,14 +49,6 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "814d96c7-2068-42aa-ba8e-fe0ddd565e2e" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml index 6717d596f..0c1dccd6c 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -min_stack_comments = "LMD package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 70 @@ -19,6 +17,14 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_rdp_distinct_count_destination_ip_for_source" name = "Spike in Number of Connections Made from a Source IP" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "3e0561b5-3fac-4461-84cc-19163b9aaa61" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -45,14 +51,6 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "3e0561b5-3fac-4461-84cc-19163b9aaa61" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml index e9812f200..d3193f054 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -min_stack_comments = "LMD package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 70 @@ -19,6 +17,14 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_rdp_distinct_count_source_ip_for_destination" name = "Spike in Number of Connections Made to a Destination IP" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -45,14 +51,6 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml index f9f27d852..cdb15b8e9 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -min_stack_comments = "LMD package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 70 @@ -18,6 +16,14 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_sum_rdp_number_of_processes" name = "Spike in Number of Processes in an RDP Session" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -44,14 +50,6 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml index 23f283148..7abc56dfe 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -min_stack_comments = "LMD package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 70 @@ -20,6 +18,14 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_count_remote_file_transfer" name = "Spike in Remote File Transfers" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "e9b0902b-c515-413b-b80b-a8dcebc81a66" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -45,14 +51,6 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "e9b0902b-c515-413b-b80b-a8dcebc81a66" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml b/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml index 8819bf40e..d16f9cba3 100644 --- a/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml +++ b/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -min_stack_comments = "LMD package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 70 @@ -19,6 +17,14 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_unusual_time_weekday_rdp_session_start" name = "Unusual Time or Day for an RDP Session" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "3f4e2dba-828a-452a-af35-fe29c5e78969" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -45,14 +51,6 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "3f4e2dba-828a-452a-af35-fe29c5e78969" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml b/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml index 332e71150..9cd9d0b44 100644 --- a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml +++ b/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml @@ -2,9 +2,7 @@ creation_date = "2021/03/29" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Gary Blackwell", "Austin Songer"] diff --git a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml index 862240ebb..eefc98fb4 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Willem D'Haese", "Austin Songer"] @@ -30,9 +28,14 @@ references = ["https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-u risk_score = 73 rule_id = "26f68dba-ce29-497b-8e13-b4fde1db5a2d" severity = "high" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] -type = "threshold" +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access", +] timestamp_override = "event.ingested" +type = "threshold" query = ''' event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and diff --git a/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml b/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml index b709ca3de..697a0f771 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/01" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -30,9 +28,14 @@ The Office 365 Logs Fleet integration, Filebeat module, or similarly structured risk_score = 73 rule_id = "3efee4f0-182a-40a8-a835-102c68a4175d" severity = "high" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] -type = "threshold" +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access", +] timestamp_override = "event.ingested" +type = "threshold" query = ''' event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and diff --git a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml index 58d24cb04..f74a123e3 100644 --- a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml +++ b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml @@ -2,9 +2,7 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] @@ -29,9 +27,14 @@ The Office 365 Logs Fleet integration, Filebeat module, or similarly structured risk_score = 73 rule_id = "2de10e77-c144-4e69-afb7-344e7127abd0" severity = "high" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] -type = "threshold" +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access", +] timestamp_override = "event.ingested" +type = "threshold" query = ''' event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:"SsoArtifactInvalidOrExpired" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml index 8f99baefd..77bc6a6df 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -33,7 +31,12 @@ references = [ risk_score = 47 rule_id = "60f3adec-1df9-4104-9c75-b97d9f078b25" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml index c160e5ed5..ec5a1d9bb 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -33,7 +31,12 @@ references = [ risk_score = 47 rule_id = "d743ff2a-203e-4a46-a3e3-40512cfe8fbb" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml index b7384af5a..3a8e0b506 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -33,7 +31,12 @@ references = [ risk_score = 47 rule_id = "ca79768e-40e1-4e45-a097-0e5fbc876ac2" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml index df89e34c0..9d9933ff3 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -33,7 +31,12 @@ references = [ risk_score = 21 rule_id = "03024bd9-d23f-4ec1-8674-3cf1a21e130b" severity = "low" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml b/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml index 147b3d4a3..c702bee9a 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/13" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml index 4cb6fe52e..b000de68c 100644 --- a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml +++ b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml index b765b5575..1d3f8d659 100644 --- a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml +++ b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml b/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml index d562df516..d249e245d 100644 --- a/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml +++ b/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml b/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml index 288995e6a..91ff9f588 100644 --- a/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml +++ b/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml b/rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml index 90fe94c86..517c52cf4 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/18" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/05/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -34,15 +32,20 @@ note = """## Triage and analysis - User changing of ClientAppId or new connection post an extended period of leave. - If the total number of accessed Mailboxes by ClientAppId is too high there is a high chance it's a false positive. """ +references = ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a"] +risk_score = 47 +rule_id = "48819484-9826-4083-9eba-1da74cd0eaf2" setup = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ -references = ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a"] -risk_score = 47 -rule_id = "48819484-9826-4083-9eba-1da74cd0eaf2" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"] +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Initial Access", +] timestamp_override = "event.ingested" type = "new_terms" @@ -107,10 +110,11 @@ id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [rule.new_terms] field = "new_terms_fields" value = ["o365.audit.ClientAppId"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-25d" + + diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml index c08ab9f66..197226743 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -34,7 +32,12 @@ references = [ risk_score = 47 rule_id = "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"] +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Initial Access", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml index 61782f361..71db20bf4 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -34,7 +32,12 @@ references = [ risk_score = 47 rule_id = "97314185-2568-4561-ae81-f3e480e5e695" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"] +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Initial Access", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml index a9b2dd6b3..c0734782b 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -33,7 +31,12 @@ references = [ risk_score = 47 rule_id = "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Initial Access"] +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Initial Access", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml b/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml index 0453d71ad..9eb423152 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] @@ -29,7 +27,12 @@ references = [ risk_score = 47 rule_id = "0136b315-b566-482f-866c-1d8e2477ba16" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"] +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Initial Access", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml b/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml index 90c76c255..0b96dcaff 100644 --- a/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml +++ b/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/12" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml b/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml index 52de44169..1e1792287 100644 --- a/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml +++ b/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/10" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml b/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml index 480d23d76..4ba15633d 100644 --- a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml +++ b/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/10" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml index e62ba72b5..348964efd 100644 --- a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml +++ b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml @@ -2,9 +2,7 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml b/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml index daf801209..90ef11635 100644 --- a/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml b/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml index d3c597049..d445e6723 100644 --- a/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml +++ b/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -33,7 +31,12 @@ references = [ risk_score = 47 rule_id = "98995807-5b09-4e37-8a54-5cae5dc932d7" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml index 94cfa6187..821b0bf2f 100644 --- a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml +++ b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/06" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -29,7 +27,12 @@ references = [ risk_score = 47 rule_id = "88671231-6626-4e1b-abb7-6e361a171fbb" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml b/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml index e4a143449..a8da34138 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -31,12 +29,7 @@ references = ["https://docs.microsoft.com/en-us/microsoftteams/platform/concepts risk_score = 47 rule_id = "bbd1a775-8267-41fa-9232-20e5582596ac" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Configuration Audit", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml b/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml index a5288bc40..a47f63526 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml b/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml index 03d0fdbd6..cad302f36 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml b/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml index 7cc85cff0..5e7873a45 100644 --- a/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml +++ b/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml @@ -2,9 +2,7 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] @@ -30,7 +28,12 @@ references = [ risk_score = 21 rule_id = "684554fc-0777-47ce-8c9b-3d01f198d7f8" severity = "low" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"] +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml index 5f546571c..7a71526db 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/19" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -min_stack_comments = "LotL package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2024/04/01" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -20,6 +18,13 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_rare_process_by_host" name = "Unusual Process Spawned by a Host" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] +risk_score = 21 +rule_id = "56004189-4e69-4a39-b4a9-195329d226e9" setup = """## Setup The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. @@ -75,13 +80,6 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: If the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and check whether any ProblemChild predictions have been generated. - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/problemchild", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", -] -risk_score = 21 -rule_id = "56004189-4e69-4a39-b4a9-195329d226e9" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml index 08116f76b..eda57d043 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -min_stack_comments = "LotL package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2024/04/01" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -20,6 +18,13 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_rare_process_by_parent" name = "Unusual Process Spawned by a Parent Process" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] +risk_score = 21 +rule_id = "ea09ff26-3902-4c53-bb8e-24b7a5d029dd" setup = """## Setup The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. @@ -75,13 +80,6 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet. - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/problemchild", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", -] -risk_score = 21 -rule_id = "ea09ff26-3902-4c53-bb8e-24b7a5d029dd" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml index 1f3913154..c9039de7f 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -min_stack_comments = "LotL package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2024/04/01" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -21,6 +19,13 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_rare_process_by_user" name = "Unusual Process Spawned by a User" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] +risk_score = 21 +rule_id = "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb" setup = """## Setup The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. @@ -76,13 +81,6 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet. - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/problemchild", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", -] -risk_score = 21 -rule_id = "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml index ae2a2dd34..7b8a91cef 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint"] maturity = "production" -min_stack_comments = "LotL package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2024/04/01" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -18,6 +16,13 @@ index = ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] +risk_score = 21 +rule_id = "13e908b9-7bf0-4235-abc9-b5deb500d0ad" setup = """## Setup The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. @@ -66,13 +71,6 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi } ``` """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/problemchild", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", -] -risk_score = 21 -rule_id = "13e908b9-7bf0-4235-abc9-b5deb500d0ad" severity = "low" tags = [ "OS: Windows", diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml index 0357b533e..c134556b6 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -min_stack_comments = "LotL package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2024/04/01" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -18,6 +16,13 @@ index = ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] +risk_score = 21 +rule_id = "994e40aa-8c85-43de-825e-15f665375ee8" setup = """## Setup The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. @@ -66,13 +71,6 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi } ``` """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/problemchild", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", -] -risk_score = 21 -rule_id = "994e40aa-8c85-43de-825e-15f665375ee8" severity = "low" tags = [ "OS: Windows", diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml index 77346bbbf..bfb17d0f2 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -min_stack_comments = "LotL package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2024/04/01" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -22,6 +20,13 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_high_sum_by_host" name = "Suspicious Windows Process Cluster Spawned by a Host" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] +risk_score = 21 +rule_id = "bdfebe11-e169-42e3-b344-c5d2015533d3" setup = """## Setup The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. @@ -77,13 +82,6 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet. - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/problemchild", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", -] -risk_score = 21 -rule_id = "bdfebe11-e169-42e3-b344-c5d2015533d3" severity = "low" tags = [ "Use Case: Living off the Land Attack Detection", diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml index 693b3cadd..f8a89d0a9 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -min_stack_comments = "LotL package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2024/04/01" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -22,6 +20,13 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_high_sum_by_parent" name = "Suspicious Windows Process Cluster Spawned by a Parent Process" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] +risk_score = 21 +rule_id = "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0" setup = """## Setup The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. @@ -77,13 +82,6 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet. - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/problemchild", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", -] -risk_score = 21 -rule_id = "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml index d9533c157..98ff98440 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -min_stack_comments = "LotL package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2024/04/01" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -22,6 +20,13 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_high_sum_by_user" name = "Suspicious Windows Process Cluster Spawned by a User" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] +risk_score = 21 +rule_id = "1224da6c-0326-4b4f-8454-68cdc5ae542b" setup = """## Setup The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. @@ -77,13 +82,6 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet. - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/problemchild", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", -] -risk_score = 21 -rule_id = "1224da6c-0326-4b4f-8454-68cdc5ae542b" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/linux/command_and_control_cat_network_activity.toml b/rules/linux/command_and_control_cat_network_activity.toml index 42f466d83..5d422e199 100644 --- a/rules/linux/command_and_control_cat_network_activity.toml +++ b/rules/linux/command_and_control_cat_network_activity.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/04" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,13 +29,14 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" + [rule] author = ["Elastic"] description = """ -This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat -is capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel. -This activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools -or files to another host in the network or exfiltrate data while attempting to evade detection in the process. +This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat is +capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel. This +activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools or +files to another host in the network or exfiltrate data while attempting to evade detection in the process. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -131,13 +130,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, process.entity_id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -153,6 +153,7 @@ sequence by host.id, process.entity_id with maxspan=1s )] ''' + [[rule.threat]] framework = "MITRE ATT&CK" @@ -160,7 +161,6 @@ framework = "MITRE ATT&CK" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -168,7 +168,6 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -176,3 +175,4 @@ framework = "MITRE ATT&CK" id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + diff --git a/rules/linux/command_and_control_linux_chisel_client_activity.toml b/rules/linux/command_and_control_linux_chisel_client_activity.toml index 5a6cb5f3e..45b888b70 100644 --- a/rules/linux/command_and_control_linux_chisel_client_activity.toml +++ b/rules/linux/command_and_control_linux_chisel_client_activity.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,14 +29,15 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" + [rule] author = ["Elastic"] description = """ -This rule monitors for common command line flags leveraged by the Chisel client utility followed by a connection attempt. -Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure -communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass -network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal -systems. +This rule monitors for common command line flags leveraged by the Chisel client utility followed by a connection +attempt. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding +and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication +channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized +access to internal systems. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -108,8 +107,8 @@ This rule looks for a sequence of command line arguments that are consistent wit """ references = [ "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", - "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" - ] + "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding", +] risk_score = 47 rule_id = "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd" setup = """## Setup @@ -139,13 +138,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, process.entity_id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -158,15 +158,17 @@ sequence by host.id, process.entity_id with maxspan=1s "ftp", "socat", "curl", "wget", "dpkg", "docker", "dockerd", "yum", "apt", "rpm", "dnf", "ssh", "sshd")] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/linux/command_and_control_linux_chisel_server_activity.toml b/rules/linux/command_and_control_linux_chisel_server_activity.toml index 0f511f1f3..1ddfe0bd6 100644 --- a/rules/linux/command_and_control_linux_chisel_server_activity.toml +++ b/rules/linux/command_and_control_linux_chisel_server_activity.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,14 +29,15 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" + [rule] author = ["Elastic"] description = """ -This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received connection -within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, -enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish -covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that -allow unauthorized access to internal systems. +This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received +connection within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP +tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to +establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating +tunnels that allow unauthorized access to internal systems. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -108,8 +107,8 @@ This rule looks for a sequence of command line arguments that are consistent wit """ references = [ "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", - "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" - ] + "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding", +] risk_score = 47 rule_id = "ac8805f6-1e08-406c-962e-3937057fa86f" setup = """## Setup @@ -139,13 +138,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, process.entity_id with maxspan=1m [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -158,15 +158,17 @@ sequence by host.id, process.entity_id with maxspan=1m "ftp", "socat", "curl", "wget", "dpkg", "docker", "dockerd", "yum", "apt", "rpm", "dnf", "ssh", "sshd", "hugo")] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/linux/command_and_control_linux_kworker_netcon.toml b/rules/linux/command_and_control_linux_kworker_netcon.toml index 1c34f9560..6fa97bf2c 100644 --- a/rules/linux/command_and_control_linux_kworker_netcon.toml +++ b/rules/linux/command_and_control_linux_kworker_netcon.toml @@ -2,16 +2,14 @@ creation_date = "2023/10/18" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/04/30" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ This rule monitors for network connections from a kworker process. kworker, or kernel worker, processes are part of the -kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel -space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. +kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel +space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process. """ from = "now-9m" @@ -49,14 +47,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" + query = ''' host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and process.name:kworker* and not destination.ip:( @@ -72,50 +71,49 @@ process.name:kworker* and not destination.ip:( ) and not destination.port:2049 ''' -[[rule.threat]] -framework = "MITRE ATT&CK" - - [rule.threat.tactic] - id = "TA0011" - name = "Command and Control" - reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - id = "TA0005" - name = "Defense Evasion" - reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat.technique]] - name = "Masquerading" - id = "T1036" - reference = "https://attack.mitre.org/techniques/T1036/" - - [[rule.threat.technique]] - name = "Rootkit" - id = "T1014" - reference = "https://attack.mitre.org/techniques/T1014/" - +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" - [rule.threat.tactic] - id = "TA0010" - name = "Exfiltration" - reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique]] - name = "Exfiltration Over C2 Channel" - id = "T1041" - reference = "https://attack.mitre.org/techniques/T1041/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" + + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" [rule.new_terms] field = "new_terms_fields" value = ["process.name", "destination.ip", "destination.port"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + diff --git a/rules/linux/command_and_control_linux_proxychains_activity.toml b/rules/linux/command_and_control_linux_proxychains_activity.toml index 4fe527e74..6af677c74 100644 --- a/rules/linux/command_and_control_linux_proxychains_activity.toml +++ b/rules/linux/command_and_control_linux_proxychains_activity.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,12 +29,13 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" + [rule] author = ["Elastic"] description = """ -This rule monitors for the execution of the ProxyChains utility. ProxyChains is a command-line tool that enables the -routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted -resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and +This rule monitors for the execution of the ProxyChains utility. ProxyChains is a command-line tool that enables the +routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted +resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions. """ from = "now-9m" @@ -112,30 +111,33 @@ risk_score = 21 rule_id = "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "proxychains" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml index 063f31889..d0e52b96b 100644 --- a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml +++ b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,13 +29,15 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" + [rule] author = ["Elastic"] description = """ This rule monitors for the execution of suspicious linux tools through ProxyChains. ProxyChains is a command-line tool that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to -restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, -and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions. +restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade +detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and +intentions. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] @@ -137,16 +137,17 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "proxychains" and process.args : ( @@ -156,15 +157,17 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml index e063595ee..b1ca0af32 100644 --- a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml +++ b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/30" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,12 +29,14 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" + [rule] author = ["Elastic"] description = """ -This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can -leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels, -and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote control. +This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can +leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels, +and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote +control. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -108,8 +108,8 @@ This rule looks for several utilities that are capable of setting up tunnel netw """ references = [ "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", - "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" - ] + "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding", +] risk_score = 47 rule_id = "6ee947e9-de7e-4281-a55d-09289bdf947e" setup = """## Setup @@ -139,15 +139,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( ( @@ -168,15 +169,17 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml index 75e542d09..8e52abef1 100644 --- a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml +++ b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml @@ -2,9 +2,7 @@ creation_date = "2023/06/14" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" + [rule] author = ["Elastic"] description = """ @@ -169,13 +168,13 @@ Packetbeat is a real-time network packet analyzer that you can use for applicati """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" @@ -200,14 +199,15 @@ not destination.ip:( not destination.port:(22 or 80 or 443) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" @@ -216,7 +216,8 @@ reference = "https://attack.mitre.org/tactics/TA0011/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "destination.ip", "process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules/linux/command_and_control_tunneling_via_earthworm.toml b/rules/linux/command_and_control_tunneling_via_earthworm.toml index e9cf24526..edf2c027b 100644 --- a/rules/linux/command_and_control_tunneling_via_earthworm.toml +++ b/rules/linux/command_and_control_tunneling_via_earthworm.toml @@ -2,9 +2,7 @@ creation_date = "2021/04/12" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" + [rule] author = ["Elastic"] description = """ @@ -150,13 +149,13 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/credential_access_collection_sensitive_files.toml b/rules/linux/credential_access_collection_sensitive_files.toml index 2e1bf781c..b4def3d77 100644 --- a/rules/linux/credential_access_collection_sensitive_files.toml +++ b/rules/linux/credential_access_collection_sensitive_files.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/22" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -63,14 +61,14 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Collection", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Collection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" @@ -109,37 +107,37 @@ event.category:process and host.os.type:linux and event.type:start and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" - [[rule.threat.technique.subtechnique]] id = "T1552.001" name = "Credentials In Files" reference = "https://attack.mitre.org/techniques/T1552/001/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" reference = "https://attack.mitre.org/techniques/T1560/" - [[rule.threat.technique.subtechnique]] id = "T1560.001" name = "Archive via Utility" reference = "https://attack.mitre.org/techniques/T1560/001/" + + [rule.threat.tactic] id = "TA0009" name = "Collection" @@ -148,7 +146,8 @@ reference = "https://attack.mitre.org/tactics/TA0009/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.command_line", "process.parent.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" + + diff --git a/rules/linux/credential_access_credential_dumping.toml b/rules/linux/credential_access_credential_dumping.toml index 0c136e26c..1b57dacdf 100644 --- a/rules/linux/credential_access_credential_dumping.toml +++ b/rules/linux/credential_access_credential_dumping.toml @@ -2,28 +2,23 @@ creation_date = "2023/02/27" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/19" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies the execution of the unshadow utility which is part of John the Ripper, -a password-cracking tool on the host machine. Malicious actors can use the utility to retrieve -the combined contents of the '/etc/shadow' and '/etc/password' files. -Using the combined file generated from the utility, the malicious threat actors can use them as input -for password-cracking utilities or prepare themselves for future operations by gathering -credential information of the victim. +Identifies the execution of the unshadow utility which is part of John the Ripper, a password-cracking tool on the host +machine. Malicious actors can use the utility to retrieve the combined contents of the '/etc/shadow' and '/etc/password' +files. Using the combined file generated from the utility, the malicious threat actors can use them as input for +password-cracking utilities or prepare themselves for future operations by gathering credential information of the +victim. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Linux Credential Dumping via Unshadow" -references = [ - "https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/", -] +references = ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"] risk_score = 47 rule_id = "e7cb3cfd-aaa3-4d7b-af18-23b89955062c" setup = """## Setup @@ -53,34 +48,37 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "unshadow" and process.args_count >= 3 ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [[rule.threat.technique.subtechnique]] id = "T1003.008" name = "/etc/passwd and /etc/shadow" reference = "https://attack.mitre.org/techniques/T1003/008/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/linux/credential_access_gdb_init_process_hooking.toml b/rules/linux/credential_access_gdb_init_process_hooking.toml index e5b8dfc17..23bf71fef 100644 --- a/rules/linux/credential_access_gdb_init_process_hooking.toml +++ b/rules/linux/credential_access_gdb_init_process_hooking.toml @@ -2,14 +2,12 @@ creation_date = "2023/08/30" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule monitors for the potential memory dump of the init process (PID 1) through gdb. Attackers may leverage memory +This rule monitors for the potential memory dump of the init process (PID 1) through gdb. Attackers may leverage memory dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include "truffleproc" and "bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly. """ @@ -18,10 +16,7 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Linux init (PID 1) Secret Dump via GDB" -references = [ - "https://github.com/controlplaneio/truffleproc", - "https://github.com/hajzer/bash-memory-dump" -] +references = ["https://github.com/controlplaneio/truffleproc", "https://github.com/hajzer/bash-memory-dump"] risk_score = 47 rule_id = "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f" setup = """## Setup @@ -51,34 +46,37 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "gdb" and process.args in ("--pid", "-p") and process.args == "1" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [[rule.threat.technique.subtechnique]] id = "T1003.007" name = "Proc Filesystem" reference = "https://attack.mitre.org/techniques/T1003/007/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/linux/credential_access_gdb_process_hooking.toml b/rules/linux/credential_access_gdb_process_hooking.toml index 1a72efb58..622a54dba 100644 --- a/rules/linux/credential_access_gdb_process_hooking.toml +++ b/rules/linux/credential_access_gdb_process_hooking.toml @@ -2,15 +2,13 @@ creation_date = "2023/08/30" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ This rule monitors for potential memory dumping through gdb. Attackers may leverage memory dumping techniques to attempt -secret extraction from privileged processes. Tools that display this behavior include "truffleproc" and +secret extraction from privileged processes. Tools that display this behavior include "truffleproc" and "bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly. """ from = "now-9m" @@ -18,24 +16,22 @@ index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_mana language = "eql" license = "Elastic License v2" name = "Linux Process Hooking via GDB" -references = [ - "https://github.com/controlplaneio/truffleproc", - "https://github.com/hajzer/bash-memory-dump" -] +references = ["https://github.com/controlplaneio/truffleproc", "https://github.com/hajzer/bash-memory-dump"] risk_score = 21 rule_id = "66c058f3-99f4-4d18-952b-43348f2577a0" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "gdb" and process.args in ("--pid", "-p") and @@ -43,20 +39,22 @@ process where host.os.type == "linux" and event.type == "start" and event.action process.args != "1" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [[rule.threat.technique.subtechnique]] id = "T1003.007" name = "Proc Filesystem" reference = "https://attack.mitre.org/techniques/T1003/007/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml b/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml index 8f187c78d..7e883b444 100644 --- a/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml +++ b/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml @@ -2,15 +2,13 @@ creation_date = "2023/07/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/20" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies multiple consecutive login attempts executed by one process targeting a local linux user account within a -short time interval. Adversaries might brute force login attempts across different users with a default wordlist or a +Identifies multiple consecutive login attempts executed by one process targeting a local linux user account within a +short time interval. Adversaries might brute force login attempts across different users with a default wordlist or a set of customly crafted passwords in an attempt to gain access to these accounts. """ from = "now-9m" @@ -47,13 +45,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, process.parent.executable, user.id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "su" and @@ -64,20 +63,22 @@ sequence by host.id, process.parent.executable, user.id with maxspan=1s ] with runs=10 ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" - [[rule.threat.technique.subtechnique]] id = "T1110.001" name = "Password Guessing" reference = "https://attack.mitre.org/techniques/T1110/001/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml index ca1511851..264cbb61e 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml @@ -2,15 +2,13 @@ creation_date = "2022/09/14" integration = ["system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies multiple external consecutive login failures targeting a user account from the same source address within -a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known +Identifies multiple external consecutive login failures targeting a user account from the same source address within a +short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts. """ from = "now-9m" @@ -79,12 +77,9 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "low" -tags = ["Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access" - ] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] type = "eql" + query = ''' sequence by host.id, source.ip, user.name with maxspan=15s [ authentication where host.os.type == "linux" and diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml index 6640ba404..dc4b7b8ec 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml @@ -2,15 +2,13 @@ creation_date = "2023/02/21" integration = ["system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies multiple internal consecutive login failures targeting a user account from the same source address within -a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known +Identifies multiple internal consecutive login failures targeting a user account from the same source address within a +short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts. """ from = "now-9m" @@ -75,12 +73,9 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "medium" -tags = ["Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access" - ] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] type = "eql" + query = ''' sequence by host.id, source.ip, user.name with maxspan=15s [ authentication where host.os.type == "linux" and diff --git a/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml index d554c3a09..936f72da6 100644 --- a/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml +++ b/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml @@ -2,18 +2,16 @@ creation_date = "2023/07/06" integration = ["auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/19" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -An FTP (file transfer protocol) brute force attack is a method where an attacker systematically tries different -combinations of usernames and passwords to gain unauthorized access to an FTP server, and if successful, the impact can -include unauthorized data access, manipulation, or theft, compromising the security and integrity of the server and -potentially exposing sensitive information. This rule identifies multiple consecutive authentication failures targeting -a specific user account from the same source address and within a short time interval, followed by a successful +An FTP (file transfer protocol) brute force attack is a method where an attacker systematically tries different +combinations of usernames and passwords to gain unauthorized access to an FTP server, and if successful, the impact can +include unauthorized data access, manipulation, or theft, compromising the security and integrity of the server and +potentially exposing sensitive information. This rule identifies multiple consecutive authentication failures targeting +a specific user account from the same source address and within a short time interval, followed by a successful authentication. """ from = "now-9m" @@ -60,13 +58,14 @@ However, if more advanced configuration is required to detect specific behavior, """ severity = "medium" tags = [ - "Data Source: Auditd Manager", - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access" - ] + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", +] type = "eql" + query = ''' sequence by host.id, auditd.data.addr, related.user with maxspan=5s [authentication where host.os.type == "linux" and event.action == "authenticated" and @@ -77,14 +76,13 @@ sequence by host.id, auditd.data.addr, related.user with maxspan=5s auditd.data.addr != "0.0.0.0" and auditd.data.addr != "::"] | tail 1 ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" - [[rule.threat.technique.subtechnique]] id = "T1110.001" name = "Password Guessing" @@ -95,7 +93,10 @@ id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml index cd5da35ff..f4c9c3538 100644 --- a/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml +++ b/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml @@ -2,18 +2,16 @@ creation_date = "2023/07/06" integration = ["auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/19" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeatedly attempting various username and +An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeatedly attempting various username and password combinations to gain unauthorized access to a remote computer via RDP, and if successful, the potential impact -can include unauthorized control over the compromised system, data theft, or the ability to launch further attacks -within the network, jeopardizing the security and confidentiality of the targeted system and potentially compromising -the entire network infrastructure. This rule identifies multiple consecutive authentication failures targeting a +can include unauthorized control over the compromised system, data theft, or the ability to launch further attacks +within the network, jeopardizing the security and confidentiality of the targeted system and potentially compromising +the entire network infrastructure. This rule identifies multiple consecutive authentication failures targeting a specific user account within a short time interval, followed by a successful authentication. """ from = "now-9m" @@ -60,13 +58,14 @@ However, if more advanced configuration is required to detect specific behavior, """ severity = "medium" tags = [ - "Data Source: Auditd Manager", - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access" - ] + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", +] type = "eql" + query = ''' sequence by host.id, related.user with maxspan=5s [authentication where host.os.type == "linux" and event.action == "authenticated" and @@ -75,14 +74,13 @@ sequence by host.id, related.user with maxspan=5s auditd.data.terminal : "*rdp*" and event.outcome == "success"] | tail 1 ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" - [[rule.threat.technique.subtechnique]] id = "T1110.001" name = "Password Guessing" @@ -93,7 +91,10 @@ id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml index ed7a05b56..735059d55 100644 --- a/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml +++ b/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml @@ -2,18 +2,16 @@ creation_date = "2022/09/14" integration = ["system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can attempt -to login into multiple users with a common or known password to gain access to accounts. +Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can +attempt to login into multiple users with a common or known password to gain access to accounts. """ from = "now-9m" -index = ["auditbeat-*", "filebeat-*", "logs-system.auth-*"] +index = ["auditbeat-*", "filebeat-*", "logs-system.auth-*"] language = "eql" license = "Elastic License v2" name = "Potential Successful SSH Brute Force Attack" @@ -81,13 +79,9 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access" - ] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] type = "eql" + query = ''' sequence by host.id, source.ip, user.name with maxspan=15s [authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and @@ -97,14 +91,13 @@ sequence by host.id, source.ip, user.name with maxspan=15s event.outcome == "success" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" - [[rule.threat.technique.subtechnique]] id = "T1110.001" name = "Password Guessing" @@ -115,7 +108,10 @@ id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/linux/credential_access_proc_credential_dumping.toml b/rules/linux/credential_access_proc_credential_dumping.toml index ff941228c..9da10c339 100644 --- a/rules/linux/credential_access_proc_credential_dumping.toml +++ b/rules/linux/credential_access_proc_credential_dumping.toml @@ -2,17 +2,15 @@ creation_date = "2023/04/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/20" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ Identifies the execution of the mimipenguin exploit script which is linux adaptation of Windows tool mimikatz. -Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits -a known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by -dumping the process and extracting lines that have a high probability of containing cleartext passwords. +Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits a +known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by dumping the +process and extracting lines that have a high probability of containing cleartext passwords. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -21,7 +19,7 @@ license = "Elastic License v2" name = "Potential Linux Credential Dumping via Proc Filesystem" references = [ "https://github.com/huntergregal/mimipenguin", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781" + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781", ] risk_score = 47 rule_id = "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311" @@ -52,14 +50,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Use Case: Vulnerability", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, process.parent.name with maxspan=1m [process where host.os.type == "linux" and process.name == "ps" and event.action == "exec" @@ -68,25 +67,27 @@ sequence by host.id, process.parent.name with maxspan=1m and process.args : "/tmp/*"] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [[rule.threat.technique.subtechnique]] id = "T1003.007" name = "Proc Filesystem" reference = "https://attack.mitre.org/techniques/T1003/007/" + [[rule.threat.technique]] id = "T1212" name = "Exploitation for Credential Access" reference = "https://attack.mitre.org/techniques/T1212/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/linux/credential_access_ssh_backdoor_log.toml b/rules/linux/credential_access_ssh_backdoor_log.toml index ecc4b5932..a537b35e5 100644 --- a/rules/linux/credential_access_ssh_backdoor_log.toml +++ b/rules/linux/credential_access_ssh_backdoor_log.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -66,7 +64,15 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml index 1c84372ed..2b7ee154f 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml @@ -2,9 +2,7 @@ creation_date = "2023/02/22" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/20" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -46,16 +44,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -75,20 +73,22 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -name = "Impair Defenses" id = "T1562" +name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] -name = "Disable or Modify Tools" id = "T1562.001" +name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" + + [rule.threat.tactic] -name = "Defense Evasion" id = "TA0005" +name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index 9c21dacf1..78771aa6d 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/27" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -57,7 +55,14 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml index 31c0b7f2d..544c7ce58 100644 --- a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/17" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -61,25 +59,26 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name in ("base16", "base32", "base32plain", "base32hex") and not process.args in ("--help", "--version") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" @@ -90,7 +89,9 @@ id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml index ba14cbaf6..362dc53aa 100644 --- a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml +++ b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml @@ -2,16 +2,14 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule monitors for the copying or moving of a system binary to a suspicious directory. Adversaries may copy/move -and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, -so if it does, the activity should be investigated. +This rule monitors for the copying or moving of a system binary to a suspicious directory. Adversaries may copy/move and +rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if +it does, the activity should be investigated. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -47,13 +45,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, process.entity_id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -84,25 +83,27 @@ sequence by host.id, process.entity_id with maxspan=1s ) and not file.path : ("/tmp/rear*", "/var/tmp/rear*", "/var/tmp/dracut*", "/var/tmp/mkinitramfs*")] ''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.003" +name = "Rename System Utilities" +reference = "https://attack.mitre.org/techniques/T1036/003/" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" - -[[rule.threat.technique.subtechnique]] -id = "T1036.003" -name = "Rename System Utilities" -reference = "https://attack.mitre.org/techniques/T1036/003/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_chattr_immutable_file.toml b/rules/linux/defense_evasion_chattr_immutable_file.toml index 6708e4784..dacc91b8d 100644 --- a/rules/linux/defense_evasion_chattr_immutable_file.toml +++ b/rules/linux/defense_evasion_chattr_immutable_file.toml @@ -2,9 +2,7 @@ creation_date = "2022/07/22" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/01/11" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -64,13 +62,13 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -81,19 +79,20 @@ process where host.os.type == "linux" and event.type == "start" and user.id == " not process.parent.name in ("systemd", "cf-agent", "ntpdate", "xargs", "px", "preinst", "auth") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1222" name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" - [[rule.threat.technique.subtechnique]] id = "T1222.002" name = "Linux and Mac File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/002/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml b/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml index 6f37f146f..989283a36 100644 --- a/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml +++ b/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/24" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -46,45 +44,48 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "dmesg" and process.args == "-c" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -name = "Impair Defenses" -id = "T1562" -reference = "https://attack.mitre.org/techniques/T1562/" - -[[rule.threat.technique.subtechnique]] -name = "Disable or Modify Tools" -id = "T1562.001" -reference = "https://attack.mitre.org/techniques/T1562/001/" - -[[rule.threat.technique]] -name = "Indicator Removal" id = "T1070" +name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" - [[rule.threat.technique.subtechnique]] -name = "Clear Linux or Mac System Logs" id = "T1070.002" +name = "Clear Linux or Mac System Logs" reference = "https://attack.mitre.org/techniques/T1070/002/" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + + + [rule.threat.tactic] -name = "Defense Evasion" id = "TA0005" +name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_disable_apparmor_attempt.toml b/rules/linux/defense_evasion_disable_apparmor_attempt.toml index b871a387c..f5010f7c8 100644 --- a/rules/linux/defense_evasion_disable_apparmor_attempt.toml +++ b/rules/linux/defense_evasion_disable_apparmor_attempt.toml @@ -2,14 +2,12 @@ creation_date = "2023/08/28" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces +This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces fine-grained access control policies to restrict the actions and resources that specific applications and processes can access. Adversaries may disable security tools to avoid possible detection of their tools and activities. """ @@ -47,16 +45,17 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( @@ -65,20 +64,22 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml index ef0ade341..3de937008 100644 --- a/rules/linux/defense_evasion_disable_selinux_attempt.toml +++ b/rules/linux/defense_evasion_disable_selinux_attempt.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/22" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -59,35 +57,38 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "setenforce" and process.args == "0" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml b/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml index 7751d734d..e51936b4a 100644 --- a/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml +++ b/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml @@ -2,18 +2,16 @@ creation_date = "2023/04/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.5.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies instances where the 'touch' command is executed on a Linux system with the "-r" flag, -which is used to modify the timestamp of a file based on another file's timestamp. The rule targets specific VM-related -paths, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*". These paths are associated with VMware virtualization -software, and their presence in the touch command arguments may indicate that a threat actor is attempting to -tamper with timestamps of VM-related files and configurations on the system. +Identifies instances where the 'touch' command is executed on a Linux system with the "-r" flag, which is used to modify +the timestamp of a file based on another file's timestamp. The rule targets specific VM-related paths, such as +"/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*". These paths are associated with VMware virtualization software, and +their presence in the touch command arguments may indicate that a threat actor is attempting to tamper with timestamps +of VM-related files and configurations on the system. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] @@ -52,36 +50,39 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "touch" and process.args == "-r" and process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" - [[rule.threat.technique.subtechnique]] id = "T1070.006" name = "Timestomp" reference = "https://attack.mitre.org/techniques/T1070/006/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index 9b41a3d3d..c14918a6b 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/27" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/20" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -47,13 +45,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" @@ -63,20 +61,22 @@ process where host.os.type == "linux" and event.type == "start" and process.name ) and not process.parent.name == "logrotate" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" - [[rule.threat.technique.subtechnique]] id = "T1070.004" name = "File Deletion" reference = "https://attack.mitre.org/techniques/T1070/004/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml index 308ff063e..e18c9cd1e 100644 --- a/rules/linux/defense_evasion_file_mod_writable_dir.toml +++ b/rules/linux/defense_evasion_file_mod_writable_dir.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/02/20" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -64,28 +62,30 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" + query = ''' host.os.type:linux and event.category:process and event.type:start and process.name:(chattr or chgrp or chmod or chown) and process.working_directory:(/dev/shm or /tmp or /var/tmp) and not process.parent.name:(apt-key or update-motd-updates-available) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1222" name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" @@ -94,7 +94,8 @@ reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.parent.executable", "process.command_line"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index c5ccfbfbe..f15704084 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/29" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/20" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -69,12 +67,12 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -85,24 +83,24 @@ process.args regex~ """\.[a-z0-9_\-][a-z0-9_\-\.]{1,254}""" and not process.name in ("ls", "find", "grep", "git", "jq", "basename") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" - [[rule.threat.technique.subtechnique]] id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/linux/defense_evasion_hidden_shared_object.toml b/rules/linux/defense_evasion_hidden_shared_object.toml index c841c28f3..f320147a6 100644 --- a/rules/linux/defense_evasion_hidden_shared_object.toml +++ b/rules/linux/defense_evasion_hidden_shared_object.toml @@ -2,9 +2,7 @@ creation_date = "2022/07/20" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/20" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -63,34 +61,37 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.type == "creation" and file.extension == "so" and file.name : ".*.so" and not process.name == "dockerd" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" - [[rule.threat.technique.subtechnique]] id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml index b1efaa15b..c483820f0 100644 --- a/rules/linux/defense_evasion_kernel_module_removal.toml +++ b/rules/linux/defense_evasion_kernel_module_removal.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/24" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -54,13 +52,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -70,38 +68,39 @@ process.name == "rmmod" or (process.name == "modprobe" and process.args in ("--r process.parent.name in ("sudo", "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/defense_evasion_kthreadd_masquerading.toml b/rules/linux/defense_evasion_kthreadd_masquerading.toml index 110b6c20f..01b696e0d 100644 --- a/rules/linux/defense_evasion_kthreadd_masquerading.toml +++ b/rules/linux/defense_evasion_kthreadd_masquerading.toml @@ -2,25 +2,21 @@ creation_date = "2024/02/01" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Monitors for kernel processes with associated process executable fields that are not empty. Unix kernel processes such +Monitors for kernel processes with associated process executable fields that are not empty. Unix kernel processes such as kthreadd and kworker typically do not have process.executable fields associated to them. Attackers may attempt to -hide their malicious programs by masquerading as legitimate kernel processes. +hide their malicious programs by masquerading as legitimate kernel processes. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Executable Masquerading as Kernel Process" -references = [ - "https://sandflysecurity.com/blog/linux-stealth-rootkit-malware-with-edr-evasion-analyzed/", -] +references = ["https://sandflysecurity.com/blog/linux-stealth-rootkit-malware-with-edr-evasion-analyzed/"] risk_score = 21 rule_id = "202829f6-0271-4e88-b882-11a655c590d4" setup = """## Setup @@ -51,39 +47,42 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name : ("kworker*", "kthread*") and process.executable != null ''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.004" +name = "Masquerade Task or Service" +reference = "https://attack.mitre.org/techniques/T1036/004/" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" - -[[rule.threat.technique.subtechnique]] -id = "T1036.004" -name = "Masquerade Task or Service" -reference = "https://attack.mitre.org/techniques/T1036/004/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_log_files_deleted.toml b/rules/linux/defense_evasion_log_files_deleted.toml index ca5cf9311..446e8c07c 100644 --- a/rules/linux/defense_evasion_log_files_deleted.toml +++ b/rules/linux/defense_evasion_log_files_deleted.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -64,13 +62,13 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -93,20 +91,22 @@ file where host.os.type == "linux" and event.type == "deletion" and not process.name in ("gzip", "executor", "dockerd") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" - [[rule.threat.technique.subtechnique]] id = "T1070.002" name = "Clear Linux or Mac System Logs" reference = "https://attack.mitre.org/techniques/T1070/002/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_mount_execution.toml b/rules/linux/defense_evasion_mount_execution.toml index 7d28a1ca3..ad3e587dc 100644 --- a/rules/linux/defense_evasion_mount_execution.toml +++ b/rules/linux/defense_evasion_mount_execution.toml @@ -2,29 +2,25 @@ creation_date = "2023/04/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies the execution of mount process with hidepid parameter, which can make processes invisible to -other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide -the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user -can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for -the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more. -With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option, -which can now be monitored and detected. +Identifies the execution of mount process with hidepid parameter, which can make processes invisible to other users from +the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide the process from other +users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user can see all processes and the +logged-in user can only see their own process. This provides a defense evasion mechanism for the adversaries to hide +their process executions from all other commands such as ps, top, pgrep and more. With the Linux kernel hardening +hidepid option all the user has to do is remount the /proc filesystem with the option, which can now be monitored and +detected. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Potential Hidden Process via Mount Hidepid" -references = [ - "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/", -] +references = ["https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/"] risk_score = 47 rule_id = "dc71c186-9fe4-4437-a4d0-85ebb32b8204" setup = """## Setup @@ -54,31 +50,34 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "mount" and process.args == "/proc" and process.args == "-o" and process.args : "*hidepid=2*" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_potential_proot_exploits.toml b/rules/linux/defense_evasion_potential_proot_exploits.toml index 8acf5345e..d02281ab7 100644 --- a/rules/linux/defense_evasion_potential_proot_exploits.toml +++ b/rules/linux/defense_evasion_potential_proot_exploits.toml @@ -2,32 +2,27 @@ creation_date = "2023/03/07" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies the execution of the PRoot utility, an open-source tool for user-space implementation of -chroot, mount --bind, and binfmt_misc. Adversaries can leverage an open-source tool PRoot -to expand the scope of their operations to multiple Linux distributions and simplify their necessary efforts. -In a normal threat scenario, the scope of an attack is limited by the varying configurations of each Linux distribution. -With PRoot, it provides an attacker with a consistent operational environment across different Linux distributions, -such as Ubuntu, Fedora, and Alpine. PRoot also provides emulation capabilities that allow for malware built on other -architectures, such as ARM, to be run.The post-exploitation technique called bring your own filesystem (BYOF), -can be used by the threat actors to execute malicious payload or elevate privileges or perform network scans or -orchestrate another attack on the environment. Although PRoot was originally not developed with malicious intent -it can be easily tuned to work for one. +Identifies the execution of the PRoot utility, an open-source tool for user-space implementation of chroot, mount +--bind, and binfmt_misc. Adversaries can leverage an open-source tool PRoot to expand the scope of their operations to +multiple Linux distributions and simplify their necessary efforts. In a normal threat scenario, the scope of an attack +is limited by the varying configurations of each Linux distribution. With PRoot, it provides an attacker with a +consistent operational environment across different Linux distributions, such as Ubuntu, Fedora, and Alpine. PRoot also +provides emulation capabilities that allow for malware built on other architectures, such as ARM, to be run.The +post-exploitation technique called bring your own filesystem (BYOF), can be used by the threat actors to execute +malicious payload or elevate privileges or perform network scans or orchestrate another attack on the environment. +Although PRoot was originally not developed with malicious intent it can be easily tuned to work for one. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Defense Evasion via PRoot" -references = [ - "https://proot-me.github.io/", -] +references = ["https://proot-me.github.io/"] risk_score = 47 rule_id = "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0" setup = """## Setup @@ -57,29 +52,32 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.parent.name == "proot" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1211" name = "Exploitation for Defense Evasion" reference = "https://attack.mitre.org/techniques/T1211/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_rename_esxi_files.toml b/rules/linux/defense_evasion_rename_esxi_files.toml index b1b0bd4e7..114e04920 100644 --- a/rules/linux/defense_evasion_rename_esxi_files.toml +++ b/rules/linux/defense_evasion_rename_esxi_files.toml @@ -2,9 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.5.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,9 +47,16 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action == "rename" and file.Ext.original.name : ("*.vmdk", "*.vmx", "*.vmxf", "*.vmsd", "*.vmsn", "*.vswp", "*.vmss", "*.nvram", "*.vmem") @@ -75,4 +80,5 @@ reference = "https://attack.mitre.org/techniques/T1036/003/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_rename_esxi_index_file.toml b/rules/linux/defense_evasion_rename_esxi_index_file.toml index 7160ee85a..c9061d947 100644 --- a/rules/linux/defense_evasion_rename_esxi_index_file.toml +++ b/rules/linux/defense_evasion_rename_esxi_index_file.toml @@ -2,16 +2,14 @@ creation_date = "2023/04/11" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.5.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ Identifies instances where the "index.html" file within the "/usr/lib/vmware/*" directory is renamed on a Linux system. -The rule monitors for the "rename" event action associated with this specific file and path, -which could indicate malicious activity. +The rule monitors for the "rename" event action associated with this specific file and path, which could indicate +malicious activity. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -49,9 +47,16 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action == "rename" and file.name : "index.html" and file.Ext.original.path : "/usr/lib/vmware/*" @@ -74,4 +79,5 @@ reference = "https://attack.mitre.org/techniques/T1036/003/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml b/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml index 1a4cdb2de..bda9821f5 100644 --- a/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml +++ b/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml @@ -2,15 +2,13 @@ creation_date = "2023/09/04" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule monitors for the execution of suspicious commands via screen and tmux. When launching a command and detaching -directly, the commands will be executed in the background via its parent process. Attackers may leverage screen or tmux +This rule monitors for the execution of suspicious commands via screen and tmux. When launching a command and detaching +directly, the commands will be executed in the background via its parent process. Attackers may leverage screen or tmux to execute commands while attempting to evade detection. """ from = "now-9m" @@ -22,15 +20,16 @@ risk_score = 21 rule_id = "e0cc3807-e108-483c-bf66-5a4fbe0d7e89" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.parent.name in ("screen", "tmux") and process.name : ( @@ -39,15 +38,17 @@ process.parent.name in ("screen", "tmux") and process.name : ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/discovery_dynamic_linker_via_od.toml b/rules/linux/discovery_dynamic_linker_via_od.toml index 59488c955..16c7da4de 100644 --- a/rules/linux/discovery_dynamic_linker_via_od.toml +++ b/rules/linux/discovery_dynamic_linker_via_od.toml @@ -2,9 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -50,16 +48,17 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "od" and process.args in ( @@ -68,15 +67,17 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_esxi_software_via_find.toml b/rules/linux/discovery_esxi_software_via_find.toml index a19fca3f1..b629270c6 100644 --- a/rules/linux/discovery_esxi_software_via_find.toml +++ b/rules/linux/discovery_esxi_software_via_find.toml @@ -2,9 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.5.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -19,7 +17,9 @@ index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_mana language = "eql" license = "Elastic License v2" name = "ESXI Discovery via Find" -references = ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"] +references = [ + "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/", +] risk_score = 47 rule_id = "33a6752b-da5e-45f8-b13a-5f094c09522f" setup = """## Setup @@ -49,30 +49,33 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "find" and process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_esxi_software_via_grep.toml b/rules/linux/discovery_esxi_software_via_grep.toml index 961a5e07c..1affdffe0 100644 --- a/rules/linux/discovery_esxi_software_via_grep.toml +++ b/rules/linux/discovery_esxi_software_via_grep.toml @@ -2,14 +2,12 @@ creation_date = "2023/04/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.5.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments +Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments related to virtual machine (VM) files, such as "vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", or "vmem". These file extensions are associated with VM-related file formats, and their presence in grep command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system. @@ -19,7 +17,9 @@ index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_mana language = "eql" license = "Elastic License v2" name = "ESXI Discovery via Grep" -references = ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"] +references = [ + "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/", +] risk_score = 47 rule_id = "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4" setup = """## Setup @@ -49,16 +49,17 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name in ("grep", "egrep", "pgrep") and process.args in ( @@ -66,15 +67,17 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index d182bf299..271cfcaaa 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -53,15 +51,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "new_terms" + query = ''' event.category:process and host.os.type:linux and event.type:start and event.action:(exec or exec_event) and ( (process.name:(lsmod or modinfo)) or @@ -72,14 +71,15 @@ or readykernel or lvm2 or vz-start or iscsi or mdadm or ovalprobes or bcache or weak-modules or zfs) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -88,7 +88,8 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["process.parent.command_line", "process.command_line", "host.id"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules/linux/discovery_linux_hping_activity.toml b/rules/linux/discovery_linux_hping_activity.toml index f59a8f2bd..ac1d28f7a 100644 --- a/rules/linux/discovery_linux_hping_activity.toml +++ b/rules/linux/discovery_linux_hping_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -65,30 +63,33 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name in ("hping", "hping2", "hping3") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_linux_nping_activity.toml b/rules/linux/discovery_linux_nping_activity.toml index f2c110c3e..9e48fc76e 100644 --- a/rules/linux/discovery_linux_nping_activity.toml +++ b/rules/linux/discovery_linux_nping_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -65,30 +63,33 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "nping" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_ping_sweep_detected.toml b/rules/linux/discovery_ping_sweep_detected.toml index c7a655bd5..0fa247325 100644 --- a/rules/linux/discovery_ping_sweep_detected.toml +++ b/rules/linux/discovery_ping_sweep_detected.toml @@ -2,16 +2,14 @@ creation_date = "2023/09/04" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/20" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This threshold rule monitors for the rapid execution of unix utilities that are capable of conducting network scans. -Adversaries may leverage built-in tools such as ping, netcat or socat to execute ping sweeps across the network while -attempting to evade detection or due to the lack of network mapping tools available on the compromised host. +This threshold rule monitors for the rapid execution of unix utilities that are capable of conducting network scans. +Adversaries may leverage built-in tools such as ping, netcat or socat to execute ping sweeps across the network while +attempting to evade detection or due to the lack of network mapping tools available on the compromised host. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] @@ -48,29 +46,31 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "threshold" + query = ''' event.category:process and host.os.type:linux and event.action:(exec or exec_event or executed or process_started) and event.type:start and process.name:(ping or nping or hping or hping2 or hping3 or nc or ncat or netcat or socat) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -79,7 +79,8 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.threshold] field = ["host.id", "process.parent.entity_id", "process.executable"] value = 1 - [[rule.threshold.cardinality]] field = "process.args" value = 100 + + diff --git a/rules/linux/discovery_proc_maps_read.toml b/rules/linux/discovery_proc_maps_read.toml index 56c21b5fd..fa5cc29d2 100644 --- a/rules/linux/discovery_proc_maps_read.toml +++ b/rules/linux/discovery_proc_maps_read.toml @@ -2,9 +2,7 @@ creation_date = "2024/01/29" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,14 +47,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name in ("cat", "grep") and process.args : "/proc/*/maps" and process.entry_leader.name in ( @@ -64,15 +63,17 @@ process.name in ("cat", "grep") and process.args : "/proc/*/maps" and process.en ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_pspy_process_monitoring_detected.toml b/rules/linux/discovery_pspy_process_monitoring_detected.toml index 3c02f0ea0..95a14458a 100644 --- a/rules/linux/discovery_pspy_process_monitoring_detected.toml +++ b/rules/linux/discovery_pspy_process_monitoring_detected.toml @@ -2,16 +2,14 @@ creation_date = "2023/07/20" integration = ["auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/19" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule leverages auditd to monitor for processes scanning different processes within the /proc directory using the -openat syscall. This is a strong indication for the usage of the pspy utility. Attackers may leverage the pspy process -monitoring utility to monitor system processes without requiring root permissions, in order to find potential privilege +This rule leverages auditd to monitor for processes scanning different processes within the /proc directory using the +openat syscall. This is a strong indication for the usage of the pspy utility. Attackers may leverage the pspy process +monitoring utility to monitor system processes without requiring root permissions, in order to find potential privilege escalation vectors. """ from = "now-9m" @@ -48,22 +46,23 @@ However, if more advanced configuration is required to detect specific behavior, """ severity = "low" tags = [ - "Data Source: Auditd Manager", - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery" - ] + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", +] type = "eql" + query = ''' sequence by process.pid, host.id with maxspan=5s [file where host.os.type == "linux" and auditd.data.syscall == "openat" and file.path == "/proc" and auditd.data.a0 : ("ffffffffffffff9c", "ffffff9c") and auditd.data.a2 : ("80000", "88000") ] with runs=10 ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1057" name = "Process Discovery" @@ -74,7 +73,9 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_sudo_allowed_command_enumeration.toml b/rules/linux/discovery_sudo_allowed_command_enumeration.toml index f9719cca5..5e29c5d85 100644 --- a/rules/linux/discovery_sudo_allowed_command_enumeration.toml +++ b/rules/linux/discovery_sudo_allowed_command_enumeration.toml @@ -2,16 +2,14 @@ creation_date = "2023/08/30" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/20" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule monitors for the usage of the sudo -l command, which is used to list the allowed and forbidden commands for -the invoking user. Attackers may execute this command to enumerate commands allowed to be executed with sudo permissions, -potentially allowing to escalate privileges to root. +This rule monitors for the usage of the sudo -l command, which is used to list the allowed and forbidden commands for +the invoking user. Attackers may execute this command to enumerate commands allowed to be executed with sudo +permissions, potentially allowing to escalate privileges to root. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -47,14 +45,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "sudo" and process.args == "-l" and process.args_count == 2 and @@ -62,15 +61,17 @@ process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish not group.Ext.real.id : "0" and not user.Ext.real.id : "0" and not process.args == "dpkg" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1033" name = "System Owner/User Discovery" reference = "https://attack.mitre.org/techniques/T1033/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_suid_sguid_enumeration.toml b/rules/linux/discovery_suid_sguid_enumeration.toml index 4b6179ebf..73fd48e34 100644 --- a/rules/linux/discovery_suid_sguid_enumeration.toml +++ b/rules/linux/discovery_suid_sguid_enumeration.toml @@ -2,17 +2,15 @@ creation_date = "2023/07/24" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule monitors for the usage of the "find" command in conjunction with SUID and SGUID permission arguments. SUID -(Set User ID) and SGID (Set Group ID) are special permissions in Linux that allow a program to execute with the -privileges of the file owner or group, respectively, rather than the privileges of the user running the program. In -case an attacker is able to enumerate and find a binary that is misconfigured, they might be able to leverage this +This rule monitors for the usage of the "find" command in conjunction with SUID and SGUID permission arguments. SUID +(Set User ID) and SGID (Set Group ID) are special permissions in Linux that allow a program to execute with the +privileges of the file owner or group, respectively, rather than the privileges of the user running the program. In case +an attacker is able to enumerate and find a binary that is misconfigured, they might be able to leverage this misconfiguration to escalate privileges by exploiting vulnerabilities or built-in features in the privileged program. """ from = "now-9m" @@ -48,9 +46,17 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "find" and process.args : "-perm" and process.args : ( @@ -61,37 +67,36 @@ process.name == "find" and process.args : "-perm" and process.args : ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1083" name = "File and Directory Discovery" reference = "https://attack.mitre.org/techniques/T1083/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.001" name = "Setuid and Setgid" reference = "https://attack.mitre.org/techniques/T1548/001/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -99,3 +104,4 @@ framework = "MITRE ATT&CK" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/discovery_suspicious_which_command_execution.toml b/rules/linux/discovery_suspicious_which_command_execution.toml index 99dfe0b87..76595d441 100644 --- a/rules/linux/discovery_suspicious_which_command_execution.toml +++ b/rules/linux/discovery_suspicious_which_command_execution.toml @@ -2,16 +2,14 @@ creation_date = "2023/08/30" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may leverage -the which command to enumerate the system for useful installed utilities that may be used after compromising a system to -escalate privileges or move latteraly across the network. +This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may +leverage the which command to enumerate the system for useful installed utilities that may be used after compromising a +system to escalate privileges or move latteraly across the network. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -22,15 +20,16 @@ risk_score = 21 rule_id = "5b18eef4-842c-4b47-970f-f08d24004bde" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "which" and process.args_count >= 10 and not process.parent.name == "jem" and @@ -39,18 +38,20 @@ not process.args == "--tty-only" /* potential tuning if rule would turn out to be noisy and process.args in ("nmap", "nc", "ncat", "netcat", nc.traditional", "gcc", "g++", "socat") and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") -*/ +*/ ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_unusual_user_enumeration_via_id.toml b/rules/linux/discovery_unusual_user_enumeration_via_id.toml index d36e05269..860c3e226 100644 --- a/rules/linux/discovery_unusual_user_enumeration_via_id.toml +++ b/rules/linux/discovery_unusual_user_enumeration_via_id.toml @@ -2,15 +2,13 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ This rule monitors for a sequence of 20 "id" command executions within 1 second by the same parent process. This -behavior is unusual, and may be indicative of the execution of an enumeration script such as LinPEAS or LinEnum. These +behavior is unusual, and may be indicative of the execution of an enumeration script such as LinPEAS or LinEnum. These scripts leverage the "id" command to enumerate the privileges of all users present on the system. """ from = "now-9m" @@ -46,8 +44,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, process.parent.entity_id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -55,15 +60,17 @@ sequence by host.id, process.parent.entity_id with maxspan=1s not (process.parent.name == "rpm" or process.parent.args : "/var/tmp/rpm-tmp*")] with runs=20 ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1033" name = "System Owner/User Discovery" reference = "https://attack.mitre.org/techniques/T1033/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_virtual_machine_fingerprinting.toml b/rules/linux/discovery_virtual_machine_fingerprinting.toml index 58b5f0049..62990271a 100644 --- a/rules/linux/discovery_virtual_machine_fingerprinting.toml +++ b/rules/linux/discovery_virtual_machine_fingerprinting.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/27" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -64,7 +62,14 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml index 8ce081939..ebd86e57f 100644 --- a/rules/linux/execution_abnormal_process_id_file_created.toml +++ b/rules/linux/execution_abnormal_process_id_file_created.toml @@ -2,9 +2,7 @@ creation_date = "2022/05/11" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/02/20" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -100,15 +98,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Threat: BPFDoor", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Threat: BPFDoor", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "new_terms" @@ -126,14 +124,15 @@ vzctl or ifup or rpcbind or runc or gitlab-runner-helper or elastic-agent or met not file.name : (jem.*.pid) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1106" name = "Native API" reference = "https://attack.mitre.org/techniques/T1106/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -142,7 +141,8 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "file.path"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml b/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml index ae5eff02e..668a851f9 100644 --- a/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml +++ b/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml @@ -2,20 +2,18 @@ creation_date = "2023/10/11" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Linux environment variable capture feature via the Elastic Defend Integration was added in 8.6." -min_stack_version = "8.6.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction +Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction with an unusual command line length. A flaw in curl version <= 8.3 makes curl vulnerable to a heap based buffer overflow -during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be executed -with and without the use of environment variables. For increased visibility, enable the collection of http_proxy, -HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of this rule. +during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be +executed with and without the use of environment variables. For increased visibility, enable the collection of +http_proxy, HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of +this rule. """ - from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" @@ -24,7 +22,7 @@ name = "Potential curl CVE-2023-38545 Exploitation" references = [ "https://curl.se/docs/CVE-2023-38545.html", "https://daniel.haxx.se/blog/2023/10/11/curl-8-4-0/", - "https://twitter.com/_JohnHammond/status/1711986412554531015" + "https://twitter.com/_JohnHammond/status/1711986412554531015", ] risk_score = 47 rule_id = "f41296b4-9975-44d6-9486-514c6f635b2d" @@ -68,15 +66,16 @@ For more information on capturing environment variables refer to the [helper gui """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Use Case: Vulnerability", - "Tactic: Execution", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Use Case: Vulnerability", + "Tactic: Execution", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "curl" and ( @@ -87,15 +86,17 @@ not process.parent.name in ("cf-agent", "agent-run", "agent-check", "rudder", "a not process.args == "/opt/rudder/bin/curl" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/execution_file_execution_followed_by_deletion.toml b/rules/linux/execution_file_execution_followed_by_deletion.toml index a65032f83..c6b2f93a4 100644 --- a/rules/linux/execution_file_execution_followed_by_deletion.toml +++ b/rules/linux/execution_file_execution_followed_by_deletion.toml @@ -2,15 +2,13 @@ creation_date = "2023/08/28" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ This rule monitors for the creation of a file, followed by its execution and self-deletion in a short timespan within a -directory often used for malicious purposes by threat actors. This behavior is often used by malware to execute +directory often used for malicious purposes by threat actors. This behavior is often used by malware to execute malicious code and delete itself to hide its tracks. """ from = "now-9m" @@ -46,8 +44,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, user.id with maxspan=1m [file where host.os.type == "linux" and event.action == "creation" and @@ -61,20 +66,22 @@ sequence by host.id, user.id with maxspan=1m "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*")] by file.name ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml index 56c2f7469..4e0c64c9b 100644 --- a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml +++ b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -111,7 +109,14 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] type = "eql" query = ''' diff --git a/rules/linux/execution_interpreter_tty_upgrade.toml b/rules/linux/execution_interpreter_tty_upgrade.toml index d607c959f..791a62e39 100644 --- a/rules/linux/execution_interpreter_tty_upgrade.toml +++ b/rules/linux/execution_interpreter_tty_upgrade.toml @@ -2,15 +2,13 @@ creation_date = "2023/09/20" integration = ["endpoint"] maturity = "production" -updated_date = "2024/03/08" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies when a non-interactive terminal (tty) is being upgraded to a fully interactive shell. Attackers may upgrade -a simple reverse shell to a fully interactive tty after obtaining initial access to a host, in order to obtain a more +Identifies when a non-interactive terminal (tty) is being upgraded to a fully interactive shell. Attackers may upgrade a +simple reverse shell to a fully interactive tty after obtaining initial access to a host, in order to obtain a more stable connection. """ from = "now-9m" @@ -46,15 +44,17 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" -tags = ["Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( (process.name == "stty" and process.args == "raw" and process.args == "-echo" and process.args_count >= 3) or @@ -63,20 +63,22 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/execution_nc_listener_via_rlwrap.toml b/rules/linux/execution_nc_listener_via_rlwrap.toml index bda20e748..d629fd28e 100644 --- a/rules/linux/execution_nc_listener_via_rlwrap.toml +++ b/rules/linux/execution_nc_listener_via_rlwrap.toml @@ -2,15 +2,13 @@ creation_date = "2023/09/22" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ Monitors for the execution of a netcat listener via rlwrap. rlwrap is a 'readline wrapper', a small utility that uses -the GNU Readline library to allow the editing of keyboard input for any command. This utility can be used in conjunction +the GNU Readline library to allow the editing of keyboard input for any command. This utility can be used in conjunction with netcat to gain a more stable reverse shell. """ false_positives = [ @@ -54,35 +52,39 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "rlwrap" and process.args in ("nc", "ncat", "netcat", "nc.openbsd", "socat") and process.args : "*l*" and process.args_count >= 4 ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml b/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml index 24d545add..205b2b1e1 100644 --- a/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml +++ b/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml @@ -2,28 +2,24 @@ creation_date = "2024/03/13" integration = ["auditd_manager", "endpoint"] maturity = "production" -min_stack_comments = "The sampling feature within EQL was introduced in 8.6.0" -min_stack_version = "8.6.0" -updated_date = "2024/03/13" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Monitors for the execution of a unix binary with read, write and execute memory region permissions, followed by a +Monitors for the execution of a unix binary with read, write and execute memory region permissions, followed by a network connection. The mprotect() system call is used to change the access protections on a region of memory that has already been allocated. This syscall allows a process to modify the permissions of pages in its virtual address space, enabling or disabling permissions such as read, write, and execute for those pages. RWX permissions on memory is in many -cases overly permissive, and should (especially in conjunction with an outbound network connection) be analyzed -thoroughly. +cases overly permissive, and should (especially in conjunction with an outbound network connection) be analyzed +thoroughly. """ from = "now-9m" index = ["logs-endpoint.events.*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Network Connection from Binary with RWX Memory Region" -references = [ - "https://man7.org/linux/man-pages/man2/mprotect.2.html" -] +references = ["https://man7.org/linux/man-pages/man2/mprotect.2.html"] risk_score = 47 rule_id = "32300431-c2d5-432d-8ec8-0e03f9924756" setup = """## Setup @@ -45,15 +41,16 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' sample by host.id, process.pid, process.name /* auditd.data.a2 == "7" translates to RWX memory region protection (PROT_READ | PROT_WRITE | PROT_EXEC) */ @@ -62,33 +59,34 @@ sample by host.id, process.pid, process.name not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" -[[rule.threat]] -framework = "MITRE ATT&CK" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] -name = "Command and Control" id = "TA0011" +name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat.technique]] -name = "Application Layer Protocol" -id = "T1071" -reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_network_event_post_compilation.toml b/rules/linux/execution_network_event_post_compilation.toml index e1f236cfb..f35e2868e 100644 --- a/rules/linux/execution_network_event_post_compilation.toml +++ b/rules/linux/execution_network_event_post_compilation.toml @@ -2,15 +2,13 @@ creation_date = "2023/08/28" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent network -connection event. This behavior can indicate the set up of a reverse tcp connection to a command-and-control server. +This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent network +connection event. This behavior can indicate the set up of a reverse tcp connection to a command-and-control server. Attackers may spawn reverse shells to establish persistence onto a target system. """ from = "now-9m" @@ -47,13 +45,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id with maxspan=1m [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -64,33 +63,34 @@ sequence by host.id with maxspan=1m not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] by process.name ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" -[[rule.threat]] -framework = "MITRE ATT&CK" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] -name = "Command and Control" id = "TA0011" +name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat.technique]] -name = "Application Layer Protocol" -id = "T1071" -reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_perl_tty_shell.toml b/rules/linux/execution_perl_tty_shell.toml index 35a7229b1..e8399decc 100644 --- a/rules/linux/execution_perl_tty_shell.toml +++ b/rules/linux/execution_perl_tty_shell.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/16" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -57,7 +55,14 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/execution_potential_hack_tool_executed.toml b/rules/linux/execution_potential_hack_tool_executed.toml index 7f496983a..345349b91 100644 --- a/rules/linux/execution_potential_hack_tool_executed.toml +++ b/rules/linux/execution_potential_hack_tool_executed.toml @@ -2,14 +2,12 @@ creation_date = "2023/09/22" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/03/08" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Monitors for the execution of different processes that might be used by attackers for malicious intent. An alert from +Monitors for the execution of different processes that might be used by attackers for malicious intent. An alert from this rule should be investigated further, as hack tools are commonly used by blue teamers and system administrators as well. """ @@ -47,17 +45,18 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -timestamp_override = "event.ingested" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", +] +timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name in ( @@ -78,6 +77,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" @@ -85,3 +85,4 @@ framework = "MITRE ATT&CK" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/execution_process_started_from_process_id_file.toml b/rules/linux/execution_process_started_from_process_id_file.toml index cbe81a44d..2cc5578a9 100644 --- a/rules/linux/execution_process_started_from_process_id_file.toml +++ b/rules/linux/execution_process_started_from_process_id_file.toml @@ -2,9 +2,7 @@ creation_date = "2022/05/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/20" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -68,15 +66,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "high" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Threat: BPFDoor", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Threat: BPFDoor", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" @@ -85,15 +83,17 @@ process where host.os.type == "linux" and event.type == "start" and user.id == " process.executable regex~ """/var/run/\w+\.(pid|lock|reboot)""" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/execution_process_started_in_shared_memory_directory.toml b/rules/linux/execution_process_started_in_shared_memory_directory.toml index fa6d47407..f3f896a29 100644 --- a/rules/linux/execution_process_started_in_shared_memory_directory.toml +++ b/rules/linux/execution_process_started_in_shared_memory_directory.toml @@ -2,9 +2,7 @@ creation_date = "2022/05/10" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/12/13" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -59,14 +57,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "high" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Threat: BPFDoor", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Threat: BPFDoor", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -77,14 +75,15 @@ not process.executable : ("/var/run/docker/*", "/var/run/utsns/*", "/var/run/s6/ "/var/run/argo/argoexec") and not process.parent.command_line : "/usr/bin/runc init" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index e419b51a4..04af725fa 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/15" integration = ["endpoint"] maturity = "production" -updated_date = "2024/03/08" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -45,15 +43,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -timestamp_override = "event.ingested" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] +timestamp_override = "event.ingested" type = "eql" query = ''' @@ -66,20 +64,22 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.006" name = "Python" reference = "https://attack.mitre.org/techniques/T1059/006/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/execution_remote_code_execution_via_postgresql.toml b/rules/linux/execution_remote_code_execution_via_postgresql.toml index f5db5c613..37031b2bf 100644 --- a/rules/linux/execution_remote_code_execution_via_postgresql.toml +++ b/rules/linux/execution_remote_code_execution_via_postgresql.toml @@ -2,18 +2,16 @@ creation_date = "2022/06/20" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within -a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a -public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection -attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities -for unauthorized access and malicious actions. +This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within a +PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a public +facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection attacks, +which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities for +unauthorized access and malicious actions. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -48,13 +46,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -66,20 +65,22 @@ user.name == "postgres" and ( ) and not process.parent.name : "puppet" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/execution_shell_evasion_linux_binary.toml b/rules/linux/execution_shell_evasion_linux_binary.toml index b3bef3b27..648294234 100644 --- a/rules/linux/execution_shell_evasion_linux_binary.toml +++ b/rules/linux/execution_shell_evasion_linux_binary.toml @@ -2,15 +2,13 @@ creation_date = "2022/05/06" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive -system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, +Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive +system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary. """ from = "now-9m" @@ -127,9 +125,17 @@ Session View uses process data collected by the Elastic Defend integration, but For more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and ( @@ -184,20 +190,22 @@ process where host.os.type == "linux" and event.type == "start" and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/execution_shell_via_background_process.toml b/rules/linux/execution_shell_via_background_process.toml index 430753720..2c768bc41 100644 --- a/rules/linux/execution_shell_via_background_process.toml +++ b/rules/linux/execution_shell_via_background_process.toml @@ -2,15 +2,13 @@ creation_date = "2023/09/20" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Monitors for the execution of background processes with process arguments capable of opening a socket in the /dev/tcp -channel. This may indicate the creation of a backdoor reverse connection, and should be investigated further. +Monitors for the execution of background processes with process arguments capable of opening a socket in the /dev/tcp +channel. This may indicate the creation of a backdoor reverse connection, and should be investigated further. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -45,49 +43,51 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -timestamp_override = "event.ingested" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] +timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name in ("setsid", "nohup") and process.args : "*/dev/tcp/*0>&1*" and process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" -[[rule.threat]] -framework = "MITRE ATT&CK" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] -name = "Command and Control" id = "TA0011" +name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat.technique]] -name = "Application Layer Protocol" -id = "T1071" -reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_shell_via_child_tcp_utility_linux.toml b/rules/linux/execution_shell_via_child_tcp_utility_linux.toml index 0369a74e6..dcbcb5da9 100644 --- a/rules/linux/execution_shell_via_child_tcp_utility_linux.toml +++ b/rules/linux/execution_shell_via_child_tcp_utility_linux.toml @@ -2,9 +2,7 @@ creation_date = "2023/11/02" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/17" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -19,7 +17,7 @@ language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via Child" references = [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", ] risk_score = 47 rule_id = "2138bb70-5a5e-42fd-be5e-b38edf6a6777" @@ -52,13 +50,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, process.entity_id with maxspan=5s [network where event.type == "start" and host.os.type == "linux" and @@ -71,33 +70,34 @@ sequence by host.id, process.entity_id with maxspan=5s )] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" -[[rule.threat]] -framework = "MITRE ATT&CK" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] -name = "Command and Control" id = "TA0011" +name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat.technique]] -name = "Application Layer Protocol" -id = "T1071" -reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_shell_via_java_revshell_linux.toml b/rules/linux/execution_shell_via_java_revshell_linux.toml index ef459002a..8294a0bd4 100644 --- a/rules/linux/execution_shell_via_java_revshell_linux.toml +++ b/rules/linux/execution_shell_via_java_revshell_linux.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/04" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/12/13" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -18,7 +16,7 @@ language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via Java" references = [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", ] risk_score = 47 rule_id = "5a3d5447-31c9-409a-aed1-72f9921594fd" @@ -49,13 +47,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id with maxspan=5s [network where host.os.type == "linux" and event.action in ("connection_accepted", "connection_attempted") and @@ -77,33 +76,34 @@ sequence by host.id with maxspan=5s )] by process.parent.entity_id ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" -[[rule.threat]] -framework = "MITRE ATT&CK" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] -name = "Command and Control" id = "TA0011" +name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat.technique]] -name = "Application Layer Protocol" -id = "T1071" -reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml index a01e43904..4d5cb2085 100644 --- a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml +++ b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml @@ -2,15 +2,13 @@ creation_date = "2023/07/04" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/12/13" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by -the specified utilities that are initialized from a single process followed by a network connection attempt will be +This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by +the specified utilities that are initialized from a single process followed by a network connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system. """ from = "now-9m" @@ -19,7 +17,7 @@ language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via Suspicious Child Process" references = [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", ] risk_score = 47 rule_id = "76e4d92b-61c1-4a95-ab61-5fd94179a1ee" @@ -50,13 +48,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, process.entity_id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "fork") and ( @@ -86,33 +85,34 @@ sequence by host.id, process.entity_id with maxspan=1s destination.ip != null and not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" -[[rule.threat]] -framework = "MITRE ATT&CK" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] -name = "Command and Control" id = "TA0011" +name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat.technique]] -name = "Application Layer Protocol" -id = "T1071" -reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_shell_via_meterpreter_linux.toml b/rules/linux/execution_shell_via_meterpreter_linux.toml index d8400c11b..789d77cf1 100644 --- a/rules/linux/execution_shell_via_meterpreter_linux.toml +++ b/rules/linux/execution_shell_via_meterpreter_linux.toml @@ -2,16 +2,14 @@ creation_date = "2023/08/10" integration = ["auditd_manager"] maturity = "production" -min_stack_comments = "The sampling feature within EQL was introduced in 8.6.0" -min_stack_version = "8.6.0" -updated_date = "2024/02/19" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged +This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged by the Metasploit Meterpreter shell to gather information about the target that it is executing its shell on. Detecting -this pattern is indicative of a successful meterpreter shell connection. +this pattern is indicative of a successful meterpreter shell connection. """ from = "now-9m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] @@ -60,14 +58,15 @@ However, if more advanced configuration is required to detect specific behavior, """ severity = "medium" tags = [ - "Data Source: Auditd Manager", - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution" - ] + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", +] timestamp_override = "event.ingested" type = "eql" + query = ''' sample by host.id, process.pid, user.id [file where host.os.type == "linux" and auditd.data.syscall == "open" and auditd.data.a2 == "1b6" and file.path == "/etc/machine-id"] @@ -77,33 +76,34 @@ sample by host.id, process.pid, user.id [file where host.os.type == "linux" and auditd.data.syscall == "open" and auditd.data.a2 == "1b6" and file.path == "/proc/net/if_inet6"] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" -[[rule.threat]] -framework = "MITRE ATT&CK" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] -name = "Command and Control" id = "TA0011" +name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat.technique]] -name = "Application Layer Protocol" -id = "T1071" -reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_shell_via_suspicious_binary.toml b/rules/linux/execution_shell_via_suspicious_binary.toml index 47e3831d9..3e79f5cfa 100644 --- a/rules/linux/execution_shell_via_suspicious_binary.toml +++ b/rules/linux/execution_shell_via_suspicious_binary.toml @@ -2,16 +2,14 @@ creation_date = "2023/07/05" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ This detection rule detects the creation of a shell through a chain consisting of the execution of a suspicious binary (located in a commonly abused location or executed manually) followed by a network event and ending with a shell being -spawned. Stageless reverse tcp shells display this behaviour. Attackers may spawn reverse shells to establish +spawned. Stageless reverse tcp shells display this behaviour. Attackers may spawn reverse shells to establish persistence onto a target system. """ from = "now-9m" @@ -20,7 +18,7 @@ language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via Suspicious Binary" references = [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", ] risk_score = 47 rule_id = "fa3a59dc-33c3-43bf-80a9-e8437a922c7f" @@ -51,13 +49,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, process.entity_id with maxspan=1s [ process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -79,33 +78,34 @@ sequence by host.id, process.entity_id with maxspan=1s process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" -[[rule.threat]] -framework = "MITRE ATT&CK" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] -name = "Command and Control" id = "TA0011" +name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat.technique]] -name = "Application Layer Protocol" -id = "T1071" -reference = "https://attack.mitre.org/techniques/T1071/" \ No newline at end of file diff --git a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml index 5d69e7198..56c51e0f5 100644 --- a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml +++ b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/04" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/17" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -19,7 +17,7 @@ language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell" references = [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", ] risk_score = 47 rule_id = "48b3d2e3-f4e8-41e6-95e6-9b2091228db3" @@ -50,13 +48,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id with maxspan=5s [network where event.type == "start" and host.os.type == "linux" and @@ -69,33 +68,34 @@ sequence by host.id with maxspan=5s )] by process.parent.entity_id ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" -[[rule.threat]] -framework = "MITRE ATT&CK" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] -name = "Command and Control" id = "TA0011" +name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat.technique]] -name = "Application Layer Protocol" -id = "T1071" -reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml index 0f609ef43..0a453512b 100644 --- a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml +++ b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml @@ -2,16 +2,14 @@ creation_date = "2023/07/04" integration = ["auditd_manager"] maturity = "production" -min_stack_comments = "The sampling feature within EQL was introduced in 8.6.0" -min_stack_version = "8.6.0" -updated_date = "2024/03/13" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This +This detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This activity consists of a sample of an execve, socket and connect syscall executed by the same process, where the -auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux +auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux UDP reverse shell to bypass traditional firewall restrictions and gain remote access to a target system covertly. """ from = "now-9m" @@ -20,7 +18,7 @@ language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via UDP" references = [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", ] risk_score = 47 rule_id = "a5eb21b7-13cc-4b94-9fe2-29bb2914e037" @@ -65,10 +63,11 @@ tags = [ "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", - "Tactic: Execution" - ] + "Tactic: Execution", +] timestamp_override = "event.ingested" type = "eql" + query = ''' sample by host.id, process.pid, process.parent.pid [process where host.os.type == "linux" and event.type == "start" and event.action == "executed" and process.name : ( @@ -87,33 +86,34 @@ sample by host.id, process.pid, process.parent.pid not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" -[[rule.threat]] -framework = "MITRE ATT&CK" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] -name = "Command and Control" id = "TA0011" +name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat.technique]] -name = "Application Layer Protocol" -id = "T1071" -reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml index 0f19dd505..95c59d602 100644 --- a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml +++ b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml @@ -2,9 +2,7 @@ creation_date = "2023/06/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -19,9 +17,7 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Content Extracted or Decompressed via Funzip" -references = [ - "https://attack.mitre.org/software/S0482/" -] +references = ["https://attack.mitre.org/software/S0482/"] risk_score = 47 rule_id = "dc0b7782-0df0-47ff-8337-db0d678bdb66" setup = """## Setup @@ -50,9 +46,17 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.action in ("exec", "exec_event") and ((process.args == "tail" and process.args == "-c" and process.args == "funzip")) and @@ -61,38 +65,39 @@ not process.parent.executable : ("/usr/bin/dracut", "/sbin/dracut", "/usr/bin/xa not (process.parent.name in ("sh", "sudo") and process.parent.command_line : "*nessus_su*") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] -name = "Unix Shell" id = "T1059.004" +name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" -[[rule.threat]] -framework = "MITRE ATT&CK" + [rule.threat.tactic] -name = "Defense Evasion" -id = "TA0005" -reference = "https://attack.mitre.org/tactics/TA0005/" - +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] -name = "Obfuscated Files or Information" id = "T1027" +name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" [[rule.threat.technique]] -name = "Deobfuscate/Decode Files or Information" id = "T1140" +name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/execution_suspicious_executable_running_system_commands.toml b/rules/linux/execution_suspicious_executable_running_system_commands.toml index f0bf64224..39074a87a 100644 --- a/rules/linux/execution_suspicious_executable_running_system_commands.toml +++ b/rules/linux/execution_suspicious_executable_running_system_commands.toml @@ -2,17 +2,15 @@ creation_date = "2023/06/14" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ This rule monitors for the execution of several commonly used system commands executed by a previously unknown -executable located in commonly abused directories. An alert from this rule can indicate the presence of potentially -malicious activity, such as the execution of unauthorized or suspicious processes attempting to run malicious code. -Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the +executable located in commonly abused directories. An alert from this rule can indicate the presence of potentially +malicious activity, such as the execution of unauthorized or suspicious processes attempting to run malicious code. +Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise. """ from = "now-9m" @@ -48,7 +46,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" @@ -64,28 +69,30 @@ process.executable:( not process.parent.executable:(/bin/* or /usr/bin/* or /run/k3s/* or /etc/network/* or /opt/Elastic/*) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] -name = "Command and Scripting Interpreter" id = "T1059" +name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] -name = "Unix Shell" id = "T1059.004" +name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.id", "process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules/linux/execution_suspicious_mining_process_creation_events.toml b/rules/linux/execution_suspicious_mining_process_creation_events.toml index 35ee9d990..6578d9e15 100644 --- a/rules/linux/execution_suspicious_mining_process_creation_events.toml +++ b/rules/linux/execution_suspicious_mining_process_creation_events.toml @@ -2,9 +2,7 @@ creation_date = "2023/02/08" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -46,34 +44,37 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.type == "creation" and event.action : ("creation", "file_create_event") and file.name : ("aliyun.service", "moneroocean_miner.service", "c3pool_miner.service", "pnsd.service", "apache4.service", "pastebin.service", "xvf.service") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + + + [rule.threat.tactic] -name = "Execution" id = "TA0002" +name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat.technique]] -name = "Command and Scripting Interpreter" -id = "T1059" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -name = "Unix Shell" -id = "T1059.004" -reference = "https://attack.mitre.org/techniques/T1059/004/" diff --git a/rules/linux/execution_tc_bpf_filter.toml b/rules/linux/execution_tc_bpf_filter.toml index 80dbb34e5..1422ba8d4 100644 --- a/rules/linux/execution_tc_bpf_filter.toml +++ b/rules/linux/execution_tc_bpf_filter.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2022/07/11" -maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/20" integration = ["endpoint"] +maturity = "production" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -52,14 +50,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "high" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Threat: TripleCross", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Threat: TripleCross", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -69,20 +67,22 @@ process.args == "filter" and process.args == "add" and process.args == "bpf" and not process.parent.executable == "/usr/sbin/libvirtd" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml b/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml index 28e6322f5..27ee5bebe 100644 --- a/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml +++ b/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml @@ -2,9 +2,7 @@ creation_date = "2024/03/13" integration = ["auditd_manager"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/03/13" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,16 +11,14 @@ Monitors for the execution of a previously unknown unix binary with read, write The mprotect() system call is used to change the access protections on a region of memory that has already been allocated. This syscall allows a process to modify the permissions of pages in its virtual address space, enabling or disabling permissions such as read, write, and execute for those pages. RWX permissions on memory is in many cases -overly permissive, and should be analyzed thoroughly. +overly permissive, and should be analyzed thoroughly. """ from = "now-9m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] language = "kuery" license = "Elastic License v2" name = "Unknown Execution of Binary with RWX Memory Region" -references = [ - "https://man7.org/linux/man-pages/man2/mprotect.2.html" -] +references = ["https://man7.org/linux/man-pages/man2/mprotect.2.html"] risk_score = 47 rule_id = "23bcd283-2bc0-4db2-81d4-273fc051e5c0" setup = """## Setup @@ -44,40 +40,43 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "new_terms" + query = ''' event.category:process and host.os.type:linux and auditd.data.syscall:mprotect and auditd.data.a2:7 ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" + + diff --git a/rules/linux/impact_data_encrypted_via_openssl.toml b/rules/linux/impact_data_encrypted_via_openssl.toml index f2d6c9090..2e7a762d6 100644 --- a/rules/linux/impact_data_encrypted_via_openssl.toml +++ b/rules/linux/impact_data_encrypted_via_openssl.toml @@ -2,9 +2,7 @@ creation_date = "2023/06/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -19,8 +17,8 @@ language = "eql" license = "Elastic License v2" name = "Suspicious Data Encryption via OpenSSL Utility" references = [ - "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", - "https://www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html", + "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", + "https://www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html", ] risk_score = 47 rule_id = "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73" @@ -50,8 +48,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, user.name, process.parent.entity_id with maxspan=5s [ process where host.os.type == "linux" and event.action == "exec" and @@ -62,15 +67,17 @@ sequence by host.id, user.name, process.parent.entity_id with maxspan=5s not process.args in ("-d", "-a", "-A", "-base64", "-none", "-nosalt") ] with runs=10 ''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1486" +name = "Data Encrypted for Impact" +reference = "https://attack.mitre.org/techniques/T1486/" + [rule.threat.tactic] -name = "Impact" id = "TA0040" +name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" -[[rule.threat.technique]] -name = "Data Encrypted for Impact" -id = "T1486" -reference = "https://attack.mitre.org/techniques/T1486/" diff --git a/rules/linux/impact_esxi_process_kill.toml b/rules/linux/impact_esxi_process_kill.toml index 8b9003468..bc58c8a9c 100644 --- a/rules/linux/impact_esxi_process_kill.toml +++ b/rules/linux/impact_esxi_process_kill.toml @@ -2,17 +2,15 @@ creation_date = "2023/04/11" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.5.0" -updated_date = "2024/02/20" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies instances where VMware processes, such as "vmware-vmx" or "vmx," are terminated on a Linux system -by a "kill" command. The rule monitors for the "end" event type, which signifies the termination of a process. -The presence of a "kill" command as the parent process for terminating VMware processes may indicate that a -threat actor is attempting to interfere with the virtualized environment on the targeted system. +Identifies instances where VMware processes, such as "vmware-vmx" or "vmx," are terminated on a Linux system by a "kill" +command. The rule monitors for the "end" event type, which signifies the termination of a process. The presence of a +"kill" command as the parent process for terminating VMware processes may indicate that a threat actor is attempting to +interfere with the virtualized environment on the targeted system. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -51,29 +49,32 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Impact", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "end" and process.name in ("vmware-vmx", "vmx") and process.parent.name == "kill" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1489" name = "Service Stop" reference = "https://attack.mitre.org/techniques/T1489/" + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/linux/impact_potential_linux_ransomware_file_encryption.toml b/rules/linux/impact_potential_linux_ransomware_file_encryption.toml index f88c579f2..ad559bb91 100644 --- a/rules/linux/impact_potential_linux_ransomware_file_encryption.toml +++ b/rules/linux/impact_potential_linux_ransomware_file_encryption.toml @@ -2,17 +2,15 @@ creation_date = "2023/03/20" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/21" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule identifies a sequence of 100 file extension rename events within a set of common file paths by the same -process in a timespan of 1 second. Ransomware is a type of malware that encrypts a victim's files or systems and -demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware -attack is the mass encryption of the file system, after which a new file extension is added to the file. +This rule identifies a sequence of 100 file extension rename events within a set of common file paths by the same +process in a timespan of 1 second. Ransomware is a type of malware that encrypts a victim's files or systems and demands +payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack +is the mass encryption of the file system, after which a new file extension is added to the file. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -48,13 +46,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Impact", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by process.entity_id, host.id with maxspan=1s [file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*" @@ -71,15 +70,17 @@ sequence by process.entity_id, host.id with maxspan=1s ] with runs=25 ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1486" name = "Data Encrypted for Impact" reference = "https://attack.mitre.org/techniques/T1486/" + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/linux/impact_potential_linux_ransomware_note_detected.toml b/rules/linux/impact_potential_linux_ransomware_note_detected.toml index 347b2c6a5..c7ffba1b3 100644 --- a/rules/linux/impact_potential_linux_ransomware_note_detected.toml +++ b/rules/linux/impact_potential_linux_ransomware_note_detected.toml @@ -2,18 +2,16 @@ creation_date = "2023/03/20" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/21" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with -a file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of +This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with a +file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a -new file extension is added to the file. +new file extension is added to the file. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -49,13 +47,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Impact", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by process.entity_id, host.id with maxspan=1s [file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*" @@ -75,15 +74,17 @@ sequence by process.entity_id, host.id with maxspan=1s ] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1486" name = "Data Encrypted for Impact" reference = "https://attack.mitre.org/techniques/T1486/" + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/linux/impact_process_kill_threshold.toml b/rules/linux/impact_process_kill_threshold.toml index dcbc680f3..3115bb569 100644 --- a/rules/linux/impact_process_kill_threshold.toml +++ b/rules/linux/impact_process_kill_threshold.toml @@ -2,15 +2,11 @@ creation_date = "2022/07/27" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/21" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = """ -This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period. -""" +description = "This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.\n" from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "kuery" @@ -78,30 +74,31 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Impact", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager" - ] -type = "threshold" + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" +type = "threshold" query = ''' event.category:process and host.os.type:linux and event.type:start and process.name:"pkill" and process.args:"-f" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1489" name = "Service Stop" reference = "https://attack.mitre.org/techniques/T1489/" + [rule.threat.tactic] id = "TA0040" name = "Impact" @@ -110,3 +107,4 @@ reference = "https://attack.mitre.org/tactics/TA0040/" [rule.threshold] field = ["host.id", "process.executable", "user.name"] value = 10 + diff --git a/rules/linux/lateral_movement_ssh_it_worm_download.toml b/rules/linux/lateral_movement_ssh_it_worm_download.toml index c84fb4989..a09d873eb 100644 --- a/rules/linux/lateral_movement_ssh_it_worm_download.toml +++ b/rules/linux/lateral_movement_ssh_it_worm_download.toml @@ -2,15 +2,13 @@ creation_date = "2023/09/21" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies processes that are capable of downloading files with command line arguments containing URLs to SSH-IT's -autonomous SSH worm. This worm intercepts outgoing SSH connections every time a user uses ssh. +Identifies processes that are capable of downloading files with command line arguments containing URLs to SSH-IT's +autonomous SSH worm. This worm intercepts outgoing SSH connections every time a user uses ssh. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] @@ -48,16 +46,17 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name in ("curl", "wget") and process.args : ( @@ -66,30 +65,32 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [[rule.threat.technique.subtechnique]] id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" + [[rule.threat.technique]] id = "T1563" name = "Remote Service Session Hijacking" reference = "https://attack.mitre.org/techniques/T1563/" - [[rule.threat.technique.subtechnique]] id = "T1563.001" name = "SSH Hijacking" reference = "https://attack.mitre.org/techniques/T1563/001/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml index f2186f995..b994203c6 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_external.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_external.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/21" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -67,13 +65,14 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by process.entity_id [process where host.os.type == "linux" and process.name == "telnet" and event.type == "start"] @@ -87,15 +86,17 @@ sequence by process.entity_id ] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/linux/lateral_movement_telnet_network_activity_internal.toml b/rules/linux/lateral_movement_telnet_network_activity_internal.toml index b50c4c107..9775b5535 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_internal.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_internal.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/21" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -67,13 +65,14 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by process.entity_id [process where host.os.type == "linux" and process.name == "telnet" and event.type == "start"] @@ -87,15 +86,17 @@ sequence by process.entity_id ] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/linux/persistence_apt_package_manager_execution.toml b/rules/linux/persistence_apt_package_manager_execution.toml index 97a17fe29..30d1a3012 100644 --- a/rules/linux/persistence_apt_package_manager_execution.toml +++ b/rules/linux/persistence_apt_package_manager_execution.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2024/02/01" -maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" integration = ["endpoint"] +maturity = "production" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -50,15 +48,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id with maxspan=5s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -73,9 +72,9 @@ sequence by host.id with maxspan=5s ] by process.parent.entity_id ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -86,29 +85,28 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -116,3 +114,4 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/persistence_apt_package_manager_netcon.toml b/rules/linux/persistence_apt_package_manager_netcon.toml index 696c037e1..f61fea402 100644 --- a/rules/linux/persistence_apt_package_manager_netcon.toml +++ b/rules/linux/persistence_apt_package_manager_netcon.toml @@ -1,16 +1,14 @@ [metadata] creation_date = "2024/02/01" -maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" integration = ["endpoint"] +maturity = "production" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Detects suspicious network events executed by the APT package manager, potentially indicating persistence through an -APT backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based +Detects suspicious network events executed by the APT package manager, potentially indicating persistence through an APT +backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management. @@ -50,15 +48,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Command and Control", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Command and Control", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id with maxspan=5s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -70,9 +69,9 @@ sequence by host.id with maxspan=5s ] by process.parent.entity_id ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -83,11 +82,11 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -95,7 +94,6 @@ framework = "MITRE ATT&CK" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -103,3 +101,4 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/persistence_chkconfig_service_add.toml b/rules/linux/persistence_chkconfig_service_add.toml index a5905a233..040bc52f6 100644 --- a/rules/linux/persistence_chkconfig_service_add.toml +++ b/rules/linux/persistence_chkconfig_service_add.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2022/07/22" -maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/12/13" integration = ["endpoint"] +maturity = "production" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -14,20 +12,11 @@ query = "SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/etc/ [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT - f.path, - u.username AS file_owner, - g.groupname AS group_owner, - datetime(f.atime, 'unixepoch') AS file_last_access_time, - datetime(f.mtime, 'unixepoch') AS file_last_modified_time, - datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, - datetime(f.btime, 'unixepoch') AS file_created_time, - f.size AS size_bytes -FROM - file f - LEFT JOIN users u ON f.uid = u.uid - LEFT JOIN groups g ON f.gid = g.gid -WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/etc/rc%.d/%') +SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS +file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS +file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT +JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE (path LIKE '/etc/init.d/%' OR path LIKE +'/etc/rc%.d/%') """ [[transform.osquery]] @@ -54,12 +43,13 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + [rule] author = ["Elastic"] description = """ Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has -either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run +either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence. """ from = "now-9m" @@ -142,9 +132,7 @@ This rule monitors the usage of the `chkconfig` binary to manually add a service - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -references = [ - "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" -] +references = ["https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"] risk_score = 47 rule_id = "b910f25a-2d44-47f2-a873-aabdc0d355e6" setup = """## Setup @@ -174,14 +162,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Threat: Lightning Framework", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Threat: Lightning Framework", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -195,20 +183,22 @@ not process.parent.name in ("rpm", "qualys-scan-util", "qualys-cloud-agent", "up not process.parent.args : ("/var/tmp/rpm*", "/var/lib/waagent/*") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - [[rule.threat.technique.subtechnique]] id = "T1037.004" name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml index d50db9ab0..7a8e8107c 100644 --- a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml +++ b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/21" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + [rule] author = ["Elastic"] description = """ @@ -147,17 +146,18 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Persistence", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Persistence", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" + query = ''' event.category:file and host.os.type:linux and event.type:change and process.name:(* and not (dnf or dnf-automatic or dpkg or yum or rpm or yum-cron or anacron or platform-python)) and @@ -169,56 +169,56 @@ event.category:file and host.os.type:linux and event.type:change and not process.executable:/usr/share/elasticsearch/* ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [[rule.threat.technique.subtechnique]] id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" + [[rule.threat.technique]] id = "T1563" name = "Remote Service Session Hijacking" reference = "https://attack.mitre.org/techniques/T1563/" - [[rule.threat.technique.subtechnique]] id = "T1563.001" name = "SSH Hijacking" reference = "https://attack.mitre.org/techniques/T1563/001/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/linux/persistence_cron_job_creation.toml b/rules/linux/persistence_cron_job_creation.toml index 8f52ebce8..875666ccf 100644 --- a/rules/linux/persistence_cron_job_creation.toml +++ b/rules/linux/persistence_cron_job_creation.toml @@ -2,59 +2,33 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" -min_stack_version = "8.6.0" -updated_date = "2024/02/21" +updated_date = "2024/05/21" [transform] [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" query = """ -SELECT * FROM file WHERE ( - path LIKE '/etc/cron.allow.d/%' OR - path LIKE '/etc/cron.d/%' OR - path LIKE '/etc/cron.hourly/%' OR - path LIKE '/etc/cron.daily/%' OR - path LIKE '/etc/cron.weekly/%' OR - path LIKE '/etc/cron.monthly/%' -) +SELECT * FROM file WHERE ( path LIKE '/etc/cron.allow.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE +'/etc/cron.hourly/%' OR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR path LIKE +'/etc/cron.monthly/%' ) """ + [[transform.osquery]] label = "Osquery - Retrieve rc-local.service File Information" query = """ -SELECT * FROM file WHERE ( - path = '/etc/cron.allow' OR - path = '/etc/cron.deny' OR - path = '/etc/crontab' OR - path = '/usr/sbin/cron' OR - path = '/usr/sbin/anacron' -) +SELECT * FROM file WHERE ( path = '/etc/cron.allow' OR path = '/etc/cron.deny' OR path = '/etc/crontab' OR path = +'/usr/sbin/cron' OR path = '/usr/sbin/anacron' ) """ [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT - f.path, - u.username AS file_owner, - g.groupname AS group_owner, - datetime(f.atime, 'unixepoch') AS file_last_access_time, - datetime(f.mtime, 'unixepoch') AS file_last_modified_time, - datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, - datetime(f.btime, 'unixepoch') AS file_created_time, - f.size AS size_bytes -FROM - file f - LEFT JOIN users u ON f.uid = u.uid - LEFT JOIN groups g ON f.gid = g.gid -WHERE ( - path LIKE '/etc/cron.allow.d/%' OR - path LIKE '/etc/cron.d/%' OR - path LIKE '/etc/cron.hourly/%' OR - path LIKE '/etc/cron.daily/%' OR - path LIKE '/etc/cron.weekly/%' OR - path LIKE '/etc/cron.monthly/%' -) +SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS +file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS +file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT +JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/cron.allow.d/%' OR path LIKE +'/etc/cron.d/%' OR path LIKE '/etc/cron.hourly/%' OR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR +path LIKE '/etc/cron.monthly/%' ) """ [[transform.osquery]] @@ -77,6 +51,7 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + [rule] author = ["Elastic"] description = """ @@ -160,7 +135,7 @@ This rule monitors the creation of previously unknown cron jobs by monitoring fo - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = [ - "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" + "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/", ] risk_score = 47 rule_id = "ff10d4d8-fea7-422d-afb1-e5a2702369a9" @@ -191,17 +166,18 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" + query = ''' host.os.type : "linux" and event.action : ("change" or "file_modify_event" or "creation" or "file_create_event") and file.path : (/etc/cron.allow or /etc/cron.deny or /etc/cron.d/* or /etc/cron.hourly/* or /etc/cron.daily/* or @@ -216,55 +192,54 @@ and not ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -273,7 +248,8 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "file.path", "process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" + + diff --git a/rules/linux/persistence_dynamic_linker_backup.toml b/rules/linux/persistence_dynamic_linker_backup.toml index ff7bf2fbd..bc8cf7caf 100644 --- a/rules/linux/persistence_dynamic_linker_backup.toml +++ b/rules/linux/persistence_dynamic_linker_backup.toml @@ -1,48 +1,27 @@ [metadata] creation_date = "2022/07/12" -maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/12/19" integration = ["endpoint"] - +maturity = "production" +updated_date = "2024/05/21" [transform] [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" query = """ -SELECT * FROM file WHERE ( - path = '/etc/ld.so.preload' OR - path = '/lib64/ld-linux-x86-64.so.2' OR - path = '/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' OR - path = '/usr/lib64/ld-linux-x86-64.so.2' OR - path = '/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' -) +SELECT * FROM file WHERE ( path = '/etc/ld.so.preload' OR path = '/lib64/ld-linux-x86-64.so.2' OR path = +'/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' OR path = '/usr/lib64/ld-linux-x86-64.so.2' OR path = +'/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' ) """ [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT - f.path, - u.username AS file_owner, - g.groupname AS group_owner, - datetime(f.atime, 'unixepoch') AS file_last_access_time, - datetime(f.mtime, 'unixepoch') AS file_last_modified_time, - datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, - datetime(f.btime, 'unixepoch') AS file_created_time, - f.size AS size_bytes -FROM - file f - LEFT JOIN users u ON f.uid = u.uid - LEFT JOIN groups g ON f.gid = g.gid -WHERE ( - path = '/etc/ld.so.preload' OR - path = '/lib64/ld-linux-x86-64.so.2' OR - path = '/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' OR - path = '/usr/lib64/ld-linux-x86-64.so.2' OR - path = '/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' -) +SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS +file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS +file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT +JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path = '/etc/ld.so.preload' OR path = +'/lib64/ld-linux-x86-64.so.2' OR path = '/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' OR path = +'/usr/lib64/ld-linux-x86-64.so.2' OR path = '/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' ) """ [[transform.osquery]] @@ -65,13 +44,14 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + [rule] author = ["Elastic"] description = """ -Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a -backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in -order to inject and preload a malicious shared object file. This activity should never occur and if it does then it -should be considered highly suspicious or malicious. +Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup +copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to +inject and preload a malicious shared object file. This activity should never occur and if it does then it should be +considered highly suspicious or malicious. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -145,9 +125,7 @@ The detection rule 'Dynamic Linker Copy' is designed to identify such abuse by m - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -references = [ - "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/" -] +references = ["https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/"] risk_score = 73 rule_id = "df6f62d9-caab-4b88-affa-044f4395a1e0" setup = """## Setup @@ -177,13 +155,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "high" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Threat: Orbit", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Threat: Orbit", + "Data Source: Elastic Defend", +] type = "eql" query = ''' @@ -196,19 +174,20 @@ sequence by process.entity_id with maxspan=1m [file where host.os.type == "linux" and event.action == "creation" and file.extension == "so"] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique.subtechnique]] id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_etc_file_creation.toml b/rules/linux/persistence_etc_file_creation.toml index a8f67c739..36ed51d36 100644 --- a/rules/linux/persistence_etc_file_creation.toml +++ b/rules/linux/persistence_etc_file_creation.toml @@ -2,49 +2,26 @@ creation_date = "2022/07/22" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/21" +updated_date = "2024/05/21" [transform] [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" query = """ -SELECT * FROM file WHERE ( - path LIKE '/etc/ld.so.conf.d/%' OR - path LIKE '/etc/cron.d/%' OR - path LIKE '/etc/sudoers.d/%' OR - path LIKE '/etc/rc%.d/%' OR - path LIKE '/etc/init.d/%' OR - path LIKE '/etc/systemd/system/%' OR - path LIKE '/usr/lib/systemd/system/%' -) +SELECT * FROM file WHERE ( path LIKE '/etc/ld.so.conf.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE '/etc/sudoers.d/%' +OR path LIKE '/etc/rc%.d/%' OR path LIKE '/etc/init.d/%' OR path LIKE '/etc/systemd/system/%' OR path LIKE +'/usr/lib/systemd/system/%' ) """ + [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT - f.path, - u.username AS file_owner, - g.groupname AS group_owner, - datetime(f.atime, 'unixepoch') AS file_last_access_time, - datetime(f.mtime, 'unixepoch') AS file_last_modified_time, - datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, - datetime(f.btime, 'unixepoch') AS file_created_time, - f.size AS size_bytes -FROM - file f - LEFT JOIN users u ON f.uid = u.uid - LEFT JOIN groups g ON f.gid = g.gid -WHERE ( - path LIKE '/etc/ld.so.conf.d/%' OR - path LIKE '/etc/cron.d/%' OR - path LIKE '/etc/sudoers.d/%' OR - path LIKE '/etc/rc%.d/%' OR - path LIKE '/etc/init.d/%' OR - path LIKE '/etc/systemd/system/%' OR - path LIKE '/usr/lib/systemd/system/%' -) +SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS +file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS +file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT +JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/ld.so.conf.d/%' OR path LIKE +'/etc/cron.d/%' OR path LIKE '/etc/sudoers.d/%' OR path LIKE '/etc/rc%.d/%' OR path LIKE '/etc/init.d/%' OR path LIKE +'/etc/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' ) """ [[transform.osquery]] @@ -71,6 +48,7 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + [rule] author = ["Elastic"] description = """ @@ -157,7 +135,7 @@ This rule monitors for the creation of the most common system-wide configuration """ references = [ "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", - "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" + "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/", ] risk_score = 47 rule_id = "1c84dd64-7e6c-4bad-ac73-a5014ee37042" @@ -188,17 +166,18 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Threat: Orbit", - "Threat: Lightning Framework", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Threat: Orbit", + "Threat: Lightning Framework", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.type in ("creation", "file_create_event") and user.id == "0" and file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*", @@ -213,76 +192,76 @@ file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/r ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - [[rule.threat.technique.subtechnique]] id = "T1037.004" name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - -[[rule.threat.technique.subtechnique]] -id = "T1574.006" -name = "Dynamic Linker Hijacking" -reference = "https://attack.mitre.org/techniques/T1574/006/" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" -[[rule.threat]] -framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + + [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" - -[[rule.threat.technique.subtechnique]] -id = "T1548.003" -name = "Sudo and Sudo Caching" -reference = "https://attack.mitre.org/techniques/T1548/003/" diff --git a/rules/linux/persistence_init_d_file_creation.toml b/rules/linux/persistence_init_d_file_creation.toml index 1af1b1778..6bded3ec8 100644 --- a/rules/linux/persistence_init_d_file_creation.toml +++ b/rules/linux/persistence_init_d_file_creation.toml @@ -2,9 +2,7 @@ creation_date = "2023/03/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/02/21" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -18,20 +16,11 @@ query = "SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/ [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT - f.path, - u.username AS file_owner, - g.groupname AS group_owner, - datetime(f.atime, 'unixepoch') AS file_last_access_time, - datetime(f.mtime, 'unixepoch') AS file_last_modified_time, - datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, - datetime(f.btime, 'unixepoch') AS file_created_time, - f.size AS size_bytes -FROM - file f - LEFT JOIN users u ON f.uid = u.uid - LEFT JOIN groups g ON f.gid = g.gid -WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%') +SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS +file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS +file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT +JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE (path LIKE '/etc/init.d/%' OR path LIKE +'/run/systemd/generator.late/%') """ [[transform.osquery]] @@ -42,14 +31,14 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" + [rule] author = ["Elastic"] description = """ Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts -or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the -"systemd-sysv-generator" can convert init.d files to service unit files that run at boot. Adversaries may add or -alter files located in the /etc/init.d/ directory to execute malicious code upon boot in order to gain persistence -on the system. +or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the "systemd-sysv-generator" +can convert init.d files to service unit files that run at boot. Adversaries may add or alter files located in the +/etc/init.d/ directory to execute malicious code upon boot in order to gain persistence on the system. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -121,8 +110,7 @@ This rule looks for the creation of new files within the `/etc/init.d/` director references = [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", - "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/" - + "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/", ] risk_score = 47 rule_id = "474fd20e-14cc-49c5-8160-d9ab4ba16c8b" @@ -153,16 +141,17 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" + query = ''' host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and file.path : /etc/init.d/* and not ( @@ -175,14 +164,15 @@ file.path : /etc/init.d/* and not ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -191,7 +181,8 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["file.path", "process.name", "host.id"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" + + diff --git a/rules/linux/persistence_insmod_kernel_module_load.toml b/rules/linux/persistence_insmod_kernel_module_load.toml index 866b0d000..60f5ef56b 100644 --- a/rules/linux/persistence_insmod_kernel_module_load.toml +++ b/rules/linux/persistence_insmod_kernel_module_load.toml @@ -2,9 +2,7 @@ creation_date = "2022/07/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/21" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + [rule] author = ["Elastic"] description = """ @@ -117,7 +116,7 @@ The detection rule 'Kernel module load via insmod' is designed to identify insta - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = [ - "https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/" + "https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/", ] risk_score = 47 rule_id = "2339f03c-f53f-40fa-834b-40c5983fc41f" @@ -148,35 +147,38 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Threat: Rootkit", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Threat: Rootkit", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml index 34f92ac31..bebb8f3e4 100644 --- a/rules/linux/persistence_kde_autostart_modification.toml +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -2,68 +2,51 @@ creation_date = "2021/01/06" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/12/19" +updated_date = "2024/05/21" [transform] [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" query = """ -SELECT * FROM file WHERE ( - path LIKE '/home/%/.config/autostart/%.sh' OR path LIKE '/home/%/.config/autostart/%.desktop' OR - path LIKE '/root/.config/autostart/%.sh' OR path LIKE '/root/.config/autostart/%.desktop' OR - path LIKE '/home/%/.kde/Autostart/%.sh' OR path LIKE '/home/%/.kde/Autostart/%.desktop' OR - path LIKE '/root/.kde/Autostart/%.sh' OR path LIKE '/root/.kde/Autostart/%.desktop' OR - path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE '/home/%/.kde4/Autostart/%.desktop' OR - path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE '/root/.kde4/Autostart/%.desktop' OR - path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE '/home/%/.kde/share/autostart/%.desktop' OR - path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE '/root/.kde/share/autostart/%.desktop' OR - path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE '/home/%/.kde4/share/autostart/%.desktop' OR - path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE '/root/.kde4/share/autostart/%.desktop' OR - path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE '/home/%/.local/share/autostart/%.desktop' OR - path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE '/root/.local/share/autostart/%.desktop' OR - path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE '/home/%/.config/autostart-scripts/%.desktop' OR - path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE '/root/.config/autostart-scripts/%.desktop' OR - path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE '/etc/xdg/autostart/%.desktop' OR - path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop' -) +SELECT * FROM file WHERE ( path LIKE '/home/%/.config/autostart/%.sh' OR path LIKE '/home/%/.config/autostart/%.desktop' +OR path LIKE '/root/.config/autostart/%.sh' OR path LIKE '/root/.config/autostart/%.desktop' OR path LIKE +'/home/%/.kde/Autostart/%.sh' OR path LIKE '/home/%/.kde/Autostart/%.desktop' OR path LIKE '/root/.kde/Autostart/%.sh' +OR path LIKE '/root/.kde/Autostart/%.desktop' OR path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE +'/home/%/.kde4/Autostart/%.desktop' OR path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE +'/root/.kde4/Autostart/%.desktop' OR path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE +'/home/%/.kde/share/autostart/%.desktop' OR path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE +'/root/.kde/share/autostart/%.desktop' OR path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE +'/home/%/.kde4/share/autostart/%.desktop' OR path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE +'/root/.kde4/share/autostart/%.desktop' OR path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE +'/home/%/.local/share/autostart/%.desktop' OR path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE +'/root/.local/share/autostart/%.desktop' OR path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE +'/home/%/.config/autostart-scripts/%.desktop' OR path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE +'/root/.config/autostart-scripts/%.desktop' OR path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE +'/etc/xdg/autostart/%.desktop' OR path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop' ) """ [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT - f.path, - u.username AS file_owner, - g.groupname AS group_owner, - datetime(f.atime, 'unixepoch') AS file_last_access_time, - datetime(f.mtime, 'unixepoch') AS file_last_modified_time, - datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, - datetime(f.btime, 'unixepoch') AS file_created_time, - f.size AS size_bytes -FROM - file f - LEFT JOIN users u ON f.uid = u.uid - LEFT JOIN groups g ON f.gid = g.gid -WHERE ( - path LIKE '/home/%/.config/autostart/%.sh' OR path LIKE '/home/%/.config/autostart/%.desktop' OR - path LIKE '/root/.config/autostart/%.sh' OR path LIKE '/root/.config/autostart/%.desktop' OR - path LIKE '/home/%/.kde/Autostart/%.sh' OR path LIKE '/home/%/.kde/Autostart/%.desktop' OR - path LIKE '/root/.kde/Autostart/%.sh' OR path LIKE '/root/.kde/Autostart/%.desktop' OR - path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE '/home/%/.kde4/Autostart/%.desktop' OR - path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE '/root/.kde4/Autostart/%.desktop' OR - path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE '/home/%/.kde/share/autostart/%.desktop' OR - path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE '/root/.kde/share/autostart/%.desktop' OR - path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE '/home/%/.kde4/share/autostart/%.desktop' OR - path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE '/root/.kde4/share/autostart/%.desktop' OR - path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE '/home/%/.local/share/autostart/%.desktop' OR - path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE '/root/.local/share/autostart/%.desktop' OR - path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE '/home/%/.config/autostart-scripts/%.desktop' OR - path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE '/root/.config/autostart-scripts/%.desktop' OR - path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE '/etc/xdg/autostart/%.desktop' OR - path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop' -) +SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS +file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS +file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT +JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/home/%/.config/autostart/%.sh' OR +path LIKE '/home/%/.config/autostart/%.desktop' OR path LIKE '/root/.config/autostart/%.sh' OR path LIKE +'/root/.config/autostart/%.desktop' OR path LIKE '/home/%/.kde/Autostart/%.sh' OR path LIKE +'/home/%/.kde/Autostart/%.desktop' OR path LIKE '/root/.kde/Autostart/%.sh' OR path LIKE +'/root/.kde/Autostart/%.desktop' OR path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE +'/home/%/.kde4/Autostart/%.desktop' OR path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE +'/root/.kde4/Autostart/%.desktop' OR path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE +'/home/%/.kde/share/autostart/%.desktop' OR path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE +'/root/.kde/share/autostart/%.desktop' OR path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE +'/home/%/.kde4/share/autostart/%.desktop' OR path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE +'/root/.kde4/share/autostart/%.desktop' OR path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE +'/home/%/.local/share/autostart/%.desktop' OR path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE +'/root/.local/share/autostart/%.desktop' OR path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE +'/home/%/.config/autostart-scripts/%.desktop' OR path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE +'/root/.config/autostart-scripts/%.desktop' OR path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE +'/etc/xdg/autostart/%.desktop' OR path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop' ) """ [[transform.osquery]] @@ -90,6 +73,7 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + [rule] author = ["Elastic"] description = """ @@ -212,13 +196,13 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -240,14 +224,15 @@ file where host.os.type == "linux" and event.type != "deletion" and "rpm", "pacman", "podman", "nautilus", "remmina", "cinnamon-settings.py") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_kernel_driver_load.toml b/rules/linux/persistence_kernel_driver_load.toml index e727ca8e0..97ba74fa4 100644 --- a/rules/linux/persistence_kernel_driver_load.toml +++ b/rules/linux/persistence_kernel_driver_load.toml @@ -2,17 +2,15 @@ creation_date = "2023/10/26" integration = ["auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Detects the loading of a Linux kernel module through system calls. Threat actors may leverage Linux kernel modules to +Detects the loading of a Linux kernel module through system calls. Threat actors may leverage Linux kernel modules to load a rootkit on a system providing them with complete control and the ability to hide from security products. As other -rules monitor for the addition of Linux kernel modules through system utilities or .ko files, this rule covers the gap -that evasive rootkits leverage by monitoring for kernel module additions on the lowest level through auditd_manager. +rules monitor for the addition of Linux kernel modules through system utilities or .ko files, this rule covers the gap +that evasive rootkits leverage by monitoring for kernel module additions on the lowest level through auditd_manager. """ from = "now-9m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] @@ -44,47 +42,49 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen """ severity = "low" tags = [ - "Data Source: Auditd Manager", - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion" - ] + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "eql" + query = ''' driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and auditd.data.syscall in ("init_module", "finit_module") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat.technique]] -name = "Rootkit" -id = "T1014" -reference = "https://attack.mitre.org/techniques/T1014/" diff --git a/rules/linux/persistence_kernel_driver_load_by_non_root.toml b/rules/linux/persistence_kernel_driver_load_by_non_root.toml index 24f6c7291..216b6be53 100644 --- a/rules/linux/persistence_kernel_driver_load_by_non_root.toml +++ b/rules/linux/persistence_kernel_driver_load_by_non_root.toml @@ -2,9 +2,7 @@ creation_date = "2024/01/10" integration = ["auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/19" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,7 @@ Detects the loading of a Linux kernel module by a non-root user through system c kernel modules to load a rootkit on a system providing them with complete control and the ability to hide from security products. As other rules monitor for the addition of Linux kernel modules through system utilities or .ko files, this rule covers the gap that evasive rootkits leverage by monitoring for kernel module additions on the lowest level through -auditd_manager. +auditd_manager. """ from = "now-9m" index = ["logs-auditd_manager.auditd-*"] @@ -50,48 +48,49 @@ However, if more advanced configuration is required to detect specific behavior, """ severity = "medium" tags = [ - "Data Source: Auditd Manager", - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion" - ] + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "eql" + query = ''' driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and auditd.data.syscall in ("init_module", "finit_module") and user.id != "0" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat.technique]] -name = "Rootkit" -id = "T1014" -reference = "https://attack.mitre.org/techniques/T1014/" - diff --git a/rules/linux/persistence_kworker_file_creation.toml b/rules/linux/persistence_kworker_file_creation.toml index bc4c38f8a..d9e80c23b 100644 --- a/rules/linux/persistence_kworker_file_creation.toml +++ b/rules/linux/persistence_kworker_file_creation.toml @@ -2,33 +2,20 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/17" +updated_date = "2024/05/21" [transform] [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" -query = """ -SELECT * FROM file WHERE path = {{file.path}} -""" +query = "SELECT * FROM file WHERE path = {{file.path}}\n" + [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT - f.path, - u.username AS file_owner, - g.groupname AS group_owner, - datetime(f.atime, 'unixepoch') AS file_last_access_time, - datetime(f.mtime, 'unixepoch') AS file_last_modified_time, - datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, - datetime(f.btime, 'unixepoch') AS file_created_time, - f.size AS size_bytes -FROM - file f - LEFT JOIN users u ON f.uid = u.uid - LEFT JOIN groups g ON f.gid = g.gid -WHERE path = {{file.path}} +SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS +file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS +file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT +JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path = {{file.path}} """ [[transform.osquery]] @@ -55,10 +42,11 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + [rule] author = ["Elastic"] description = """ -This rule monitors for a file creation event originating from a kworker parent process. kworker, or kernel worker, +This rule monitors for a file creation event originating from a kworker parent process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process. @@ -165,15 +153,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and process.name : "kworker*" and not ( @@ -182,29 +171,29 @@ file where host.os.type == "linux" and event.action in ("creation", "file_create ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat.technique]] -name = "Rootkit" -id = "T1014" -reference = "https://attack.mitre.org/techniques/T1014/" - diff --git a/rules/linux/persistence_linux_backdoor_user_creation.toml b/rules/linux/persistence_linux_backdoor_user_creation.toml index bb0e1ebe6..cf4f8a430 100644 --- a/rules/linux/persistence_linux_backdoor_user_creation.toml +++ b/rules/linux/persistence_linux_backdoor_user_creation.toml @@ -2,14 +2,15 @@ creation_date = "2023/03/07" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] label = "Osquery - Retrieve User Accounts with a UID of 0" -query = "SELECT description, gid, gid_signed, shell, uid, uid_signed, username FROM users WHERE username != 'root' AND uid LIKE '0'" +query = """ +SELECT description, gid, gid_signed, shell, uid, uid_signed, username FROM users WHERE username != 'root' AND uid LIKE +'0' +""" [[transform.osquery]] label = "Osquery - Retrieve Running Processes by User" @@ -27,10 +28,11 @@ query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" label = "Osquery - Retrieve Information for a Specific Group" query = "SELECT * FROM groups WHERE groupname = {{group.name}}" + [rule] author = ["Elastic"] description = """ -Identifies the attempt to create a new backdoor user by setting the user's UID to 0. Attackers may alter a user's UID to +Identifies the attempt to create a new backdoor user by setting the user's UID to 0. Attackers may alter a user's UID to 0 to establish persistence on a system. """ from = "now-9m" @@ -114,36 +116,39 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "usermod" and process.args : "-u" and process.args : "0" and process.args : "-o" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" - [[rule.threat.technique.subtechnique]] id = "T1136.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_linux_group_creation.toml b/rules/linux/persistence_linux_group_creation.toml index 8bdadc05c..be5b7c048 100644 --- a/rules/linux/persistence_linux_group_creation.toml +++ b/rules/linux/persistence_linux_group_creation.toml @@ -2,9 +2,7 @@ creation_date = "2023/02/13" integration = ["system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -23,11 +21,10 @@ query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" label = "Osquery - Retrieve Running Processes by User" query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username" + [rule] author = ["Elastic"] -description = """ -Identifies attempts to create a new group. Attackers may create new groups to establish persistence on a system. -""" +description = "Identifies attempts to create a new group. Attackers may create new groups to establish persistence on a system.\n" from = "now-9m" index = ["filebeat-*", "logs-system.auth-*"] language = "eql" @@ -103,28 +100,37 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" + query = ''' iam where host.os.type == "linux" and (event.type == "group" and event.type == "creation") and process.name in ("groupadd", "addgroup") and group.name != null ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" - [[rule.threat.technique.subtechnique]] id = "T1136.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_linux_shell_activity_via_web_server.toml b/rules/linux/persistence_linux_shell_activity_via_web_server.toml index eeb4603ab..42ea56ee0 100644 --- a/rules/linux/persistence_linux_shell_activity_via_web_server.toml +++ b/rules/linux/persistence_linux_shell_activity_via_web_server.toml @@ -2,9 +2,7 @@ creation_date = "2023/03/04" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/21" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -27,11 +25,12 @@ query = "SELECT name, cmdline, parent, path, uid FROM processes WHERE uid = {{pr label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" + [rule] author = ["Elastic"] description = """ -Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. -Attackers may exploit a vulnerability in a web application to execute commands via a web server, or place a backdoor +Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. +Attackers may exploit a vulnerability in a web application to execute commands via a web server, or place a backdoor file that can be abused to gain code execution as a mechanism for persistence. """ false_positives = [ @@ -131,18 +130,19 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "high" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Initial Access", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability", - "Resources: Investigation Guide", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Initial Access", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.parent.executable : ( @@ -165,33 +165,34 @@ process.name : ( ) and not process.name == "phpquery" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" - [[rule.threat.technique.subtechnique]] id = "T1505.003" name = "Web Shell" reference = "https://attack.mitre.org/techniques/T1505/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/linux/persistence_linux_user_account_creation.toml b/rules/linux/persistence_linux_user_account_creation.toml index 18b550025..0806394a0 100644 --- a/rules/linux/persistence_linux_user_account_creation.toml +++ b/rules/linux/persistence_linux_user_account_creation.toml @@ -2,9 +2,7 @@ creation_date = "2023/02/13" integration = ["system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -23,11 +21,10 @@ query = "SELECT * FROM groups WHERE groupname = {{group.name}}" label = "Osquery - Retrieve Running Processes by User" query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username" + [rule] author = ["Elastic"] -description = """ -Identifies attempts to create new users. Attackers may add new users to establish persistence on a system. -""" +description = "Identifies attempts to create new users. Attackers may add new users to establish persistence on a system.\n" from = "now-9m" index = ["filebeat-*", "logs-system.auth-*"] language = "eql" @@ -102,28 +99,37 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" + query = ''' iam where host.os.type == "linux" and (event.type == "user" and event.type == "creation") and process.name in ("useradd", "adduser") and user.name != null ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" - [[rule.threat.technique.subtechnique]] id = "T1136.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_linux_user_added_to_privileged_group.toml b/rules/linux/persistence_linux_user_added_to_privileged_group.toml index 2528e50c2..d08a4139b 100644 --- a/rules/linux/persistence_linux_user_added_to_privileged_group.toml +++ b/rules/linux/persistence_linux_user_added_to_privileged_group.toml @@ -2,9 +2,7 @@ creation_date = "2023/02/13" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -23,10 +21,11 @@ query = "SELECT * FROM groups WHERE groupname = {{group.name}}" label = "Osquery - Retrieve Running Processes by User" query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username" + [rule] author = ["Elastic"] description = """ -Identifies attempts to add a user to a privileged group. Attackers may add users to a privileged group in order to +Identifies attempts to add a user to a privileged group. Attackers may add users to a privileged group in order to establish persistence on a system. """ from = "now-9m" @@ -109,17 +108,18 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.args in ( @@ -132,20 +132,22 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" - [[rule.threat.technique.subtechnique]] id = "T1136.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_message_of_the_day_creation.toml b/rules/linux/persistence_message_of_the_day_creation.toml index 7afb4ae59..85e05d4e8 100644 --- a/rules/linux/persistence_message_of_the_day_creation.toml +++ b/rules/linux/persistence_message_of_the_day_creation.toml @@ -2,9 +2,7 @@ creation_date = "2023/02/28" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/02/21" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -18,20 +16,11 @@ query = "SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT - f.path, - u.username AS file_owner, - g.groupname AS group_owner, - datetime(f.atime, 'unixepoch') AS file_last_access_time, - datetime(f.mtime, 'unixepoch') AS file_last_modified_time, - datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, - datetime(f.btime, 'unixepoch') AS file_created_time, - f.size AS size_bytes -FROM - file f - LEFT JOIN users u ON f.uid = u.uid - LEFT JOIN groups g ON f.gid = g.gid -WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%') +SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS +file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS +file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT +JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE +'/usr/lib/update-notifier/%') """ [[transform.osquery]] @@ -42,6 +31,7 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" + [rule] author = ["Elastic"] description = """ @@ -116,7 +106,7 @@ This rule identifies the creation of new files within the `/etc/update-motd.d/` - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = [ - "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" + "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd", ] risk_score = 47 rule_id = "96d11d31-9a79-480f-8401-da28b194608f" @@ -147,16 +137,17 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend" - ] -type = "new_terms" + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" +type = "new_terms" + query = ''' host.os.type :linux and event.action:(creation or file_create_event or rename or file_rename_event) and file.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not process.name : ( @@ -167,14 +158,15 @@ file.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not process ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -183,7 +175,8 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "file.path", "process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" + + diff --git a/rules/linux/persistence_message_of_the_day_execution.toml b/rules/linux/persistence_message_of_the_day_execution.toml index 219b88f9f..ca3cb5b9b 100644 --- a/rules/linux/persistence_message_of_the_day_execution.toml +++ b/rules/linux/persistence_message_of_the_day_execution.toml @@ -2,9 +2,7 @@ creation_date = "2023/02/28" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/17" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -18,20 +16,11 @@ query = "SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT - f.path, - u.username AS file_owner, - g.groupname AS group_owner, - datetime(f.atime, 'unixepoch') AS file_last_access_time, - datetime(f.mtime, 'unixepoch') AS file_last_modified_time, - datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, - datetime(f.btime, 'unixepoch') AS file_created_time, - f.size AS size_bytes -FROM - file f - LEFT JOIN users u ON f.uid = u.uid - LEFT JOIN groups g ON f.gid = g.gid -WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%') +SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS +file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS +file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT +JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE +'/usr/lib/update-notifier/%') """ [[transform.osquery]] @@ -41,15 +30,17 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u [[transform.osquery]] label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" + + [rule] author = ["Elastic"] description = """ -Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH -or a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" and -"/usr/lib/update-notifier/" directories. These scripts run as the root user every time a user connects over SSH or a -serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a -user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially -malicious processes through the MOTD utility. +Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or +a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" and +"/usr/lib/update-notifier/" directories. These scripts run as the root user every time a user connects over SSH or a +serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a +user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially +malicious processes through the MOTD utility. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -115,7 +106,7 @@ This rule identifies the execution of potentially malicious processes from a MOT - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = [ - "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" + "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd", ] risk_score = 73 rule_id = "4ec47004-b34a-42e6-8003-376a123ea447" @@ -146,16 +137,17 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "high" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where event.type == "start" and host.os.type == "linux" and event.action : ("exec", "exec_event") and process.parent.executable : ("/etc/update-motd.d/*", "/usr/lib/update-notifier/*") and ( @@ -186,15 +178,17 @@ not ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_rc_script_creation.toml b/rules/linux/persistence_rc_script_creation.toml index ce7a4a9ae..e9177e41c 100644 --- a/rules/linux/persistence_rc_script_creation.toml +++ b/rules/linux/persistence_rc_script_creation.toml @@ -2,9 +2,7 @@ creation_date = "2023/02/28" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/01/05" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -17,21 +15,24 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u [[transform.osquery]] label = "Osquery - Retrieve rc-local.service File Information" -query = "SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path = '/run/systemd/generator/multi-user.target.wants/rc-local.service')" +query = """ +SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path = +'/run/systemd/generator/multi-user.target.wants/rc-local.service') +""" [[transform.osquery]] label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" + [rule] author = ["Elastic"] description = """ -This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable -through the use of the new terms rule type. The /etc/rc.local file is used to start custom applications, -services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. -However, through the "systemd-rc-local-generator", rc.local files can be converted to services that run at -boot. Adversaries may alter rc.local to execute malicious code at start-up, and gain persistence onto the -system. +This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable through the +use of the new terms rule type. The /etc/rc.local file is used to start custom applications, services, scripts or +commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the +"systemd-rc-local-generator", rc.local files can be converted to services that run at boot. Adversaries may alter +rc.local to execute malicious code at start-up, and gain persistence onto the system. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -100,8 +101,7 @@ Detection alerts from this rule indicate the creation of a new `/etc/rc.local` f references = [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", - "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/" - + "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/", ] risk_score = 47 rule_id = "0f4d35e4-925e-4959-ab24-911be207ee6f" @@ -132,16 +132,17 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend" - ] -type = "new_terms" + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" +type = "new_terms" + query = ''' host.os.type : "linux" and event.category : "file" and event.type : ("change" or "file_modify_event" or "creation" or "file_create_event") and @@ -150,19 +151,20 @@ file.path : "/etc/rc.local" and not process.name : ( ) and not file.extension : ("swp" or "swpx") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - [[rule.threat.technique.subtechnique]] id = "T1037.004" name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -171,7 +173,8 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "user.id"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" + + diff --git a/rules/linux/persistence_setuid_setgid_capability_set.toml b/rules/linux/persistence_setuid_setgid_capability_set.toml index c99e8b13e..0aa61d6bc 100644 --- a/rules/linux/persistence_setuid_setgid_capability_set.toml +++ b/rules/linux/persistence_setuid_setgid_capability_set.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/05" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + [rule] author = ["Elastic"] description = """ @@ -133,20 +132,22 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "setcap" and process.args : "cap_set?id+ep" and not process.parent.name in ("jem", "vzctl") ''' + [[rule.threat]] framework = "MITRE ATT&CK" @@ -154,21 +155,21 @@ framework = "MITRE ATT&CK" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.001" name = "Setuid and Setgid" reference = "https://attack.mitre.org/techniques/T1548/001/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/persistence_shared_object_creation.toml b/rules/linux/persistence_shared_object_creation.toml index b9da05228..72faf4eb4 100644 --- a/rules/linux/persistence_shared_object_creation.toml +++ b/rules/linux/persistence_shared_object_creation.toml @@ -2,33 +2,20 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" -min_stack_version = "8.6.0" -updated_date = "2024/02/21" +updated_date = "2024/05/21" [transform] [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" -query = """ -SELECT * FROM file WHERE path = {{file.path}} -""" +query = "SELECT * FROM file WHERE path = {{file.path}}\n" + [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT - f.path, - u.username AS file_owner, - g.groupname AS group_owner, - datetime(f.atime, 'unixepoch') AS file_last_access_time, - datetime(f.mtime, 'unixepoch') AS file_last_modified_time, - datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, - datetime(f.btime, 'unixepoch') AS file_created_time, - f.size AS size_bytes -FROM - file f - LEFT JOIN users u ON f.uid = u.uid - LEFT JOIN groups g ON f.gid = g.gid -WHERE path = {{file.path}} +SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS +file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS +file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT +JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path = {{file.path}} """ [[transform.osquery]] @@ -55,6 +42,7 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + [rule] author = ["Elastic"] description = """ @@ -167,10 +155,11 @@ tags = [ "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" + query = ''' host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and process.name:* and not ( @@ -180,19 +169,20 @@ file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and process.name:* an ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique.subtechnique]] id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -201,7 +191,8 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "file.path", "process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" + + diff --git a/rules/linux/persistence_shell_configuration_modification.toml b/rules/linux/persistence_shell_configuration_modification.toml index 9f5571f1f..bbdb5484c 100644 --- a/rules/linux/persistence_shell_configuration_modification.toml +++ b/rules/linux/persistence_shell_configuration_modification.toml @@ -2,9 +2,7 @@ creation_date = "2024/04/30" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/04/30" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -50,15 +48,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] -type = "new_terms" + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" +type = "new_terms" + query = ''' event.category:file and host.os.type:linux and event.action:(creation or file_create_event or rename or file_rename_event) and file.path:( @@ -80,19 +79,20 @@ event.action:(creation or file_create_event or rename or file_rename_event) and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.004" name = "Unix Shell Configuration Modification" reference = "https://attack.mitre.org/techniques/T1546/004/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -100,8 +100,9 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" -value = ["host.id", "user.id", "process.executable"] - +value = ["host.id", "user.id", "process.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" + + diff --git a/rules/linux/persistence_suspicious_file_opened_through_editor.toml b/rules/linux/persistence_suspicious_file_opened_through_editor.toml index 88458c64b..21922814d 100644 --- a/rules/linux/persistence_suspicious_file_opened_through_editor.toml +++ b/rules/linux/persistence_suspicious_file_opened_through_editor.toml @@ -1,19 +1,17 @@ [metadata] creation_date = "2023/07/25" -maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/17" integration = ["endpoint"] +maturity = "production" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule monitors for the potential edit of a suspicious file. In Linux, when editing a file through an editor, a +This rule monitors for the potential edit of a suspicious file. In Linux, when editing a file through an editor, a temporary .swp file is created. By monitoring for the creation of this .swp file, we can detect potential file edits of -suspicious files. The execution of this rule is not a clear sign of the file being edited, as just opening the file +suspicious files. The execution of this rule is not a clear sign of the file being edited, as just opening the file through an editor will trigger this event. Attackers may alter any of the files added in this rule to establish -persistence, escalate privileges or perform reconnaisance on the system. +persistence, escalate privileges or perform reconnaisance on the system. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -25,16 +23,17 @@ risk_score = 21 rule_id = "3728c08d-9b70-456b-b6b8-007c7d246128" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and file.extension == "swp" and file.path : ( @@ -57,58 +56,59 @@ file.path : ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - [[rule.threat.technique.subtechnique]] id = "T1037.004" name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - -[[rule.threat.technique.subtechnique]] -id = "T1574.006" -name = "Dynamic Linker Hijacking" -reference = "https://attack.mitre.org/techniques/T1574/006/" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" - -[[rule.threat.technique.subtechnique]] -id = "T1548.003" -name = "Sudo and Sudo Caching" -reference = "https://attack.mitre.org/techniques/T1548/003/" diff --git a/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml b/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml index 61823f66e..77654c11f 100644 --- a/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml +++ b/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml @@ -2,10 +2,7 @@ creation_date = "2024/04/01" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/01" - +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -18,21 +15,22 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Execution via XZBackdoor" -references =["https://github.com/amlweems/xzbot", "https://access.redhat.com/security/cve/CVE-2024-3094"] +references = ["https://github.com/amlweems/xzbot", "https://access.redhat.com/security/cve/CVE-2024-3094"] risk_score = 73 rule_id = "7afc6cc9-8800-4c7f-be6b-b688d2dea248" severity = "high" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Persistence", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Persistence", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' sequence by host.id, user.id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "sshd" and @@ -43,56 +41,56 @@ sequence by host.id, user.id with maxspan=1s [network where host.os.type == "linux" and event.type == "end" and event.action == "disconnect_received" and process.name == "sshd"] by process.pid, process.entity_id ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [[rule.threat.technique.subtechnique]] id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" + [[rule.threat.technique]] id = "T1563" name = "Remote Service Session Hijacking" reference = "https://attack.mitre.org/techniques/T1563/" - [[rule.threat.technique.subtechnique]] id = "T1563.001" name = "SSH Hijacking" reference = "https://attack.mitre.org/techniques/T1563/001/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/linux/persistence_systemd_netcon.toml b/rules/linux/persistence_systemd_netcon.toml index 45d827261..fba0565d1 100644 --- a/rules/linux/persistence_systemd_netcon.toml +++ b/rules/linux/persistence_systemd_netcon.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2024/02/01" -maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" integration = ["endpoint"] +maturity = "production" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -50,15 +48,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Command and Control", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Command and Control", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id with maxspan=5s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -70,29 +69,29 @@ sequence by host.id with maxspan=5s ] by process.parent.entity_id ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -100,7 +99,6 @@ framework = "MITRE ATT&CK" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -108,3 +106,4 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/persistence_systemd_scheduled_timer_created.toml b/rules/linux/persistence_systemd_scheduled_timer_created.toml index 02f869196..b021569a8 100644 --- a/rules/linux/persistence_systemd_scheduled_timer_created.toml +++ b/rules/linux/persistence_systemd_scheduled_timer_created.toml @@ -2,9 +2,7 @@ creation_date = "2023/02/24" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2023/12/13" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -14,38 +12,19 @@ query = "SELECT * FROM file WHERE path = {{file.path}}" [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" query = """ -SELECT * FROM file WHERE ( -path LIKE '/etc/systemd/system/%' OR -path LIKE '/usr/local/lib/systemd/system/%' OR -path LIKE '/lib/systemd/system/%' OR -path LIKE '/usr/lib/systemd/system/%' OR -path LIKE '/home/user/.config/systemd/user/%' -) +SELECT * FROM file WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE +'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE '/home/user/.config/systemd/user/%' ) """ [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT - f.path, - u.username AS file_owner, - g.groupname AS group_owner, - datetime(f.atime, 'unixepoch') AS file_last_access_time, - datetime(f.mtime, 'unixepoch') AS file_last_modified_time, - datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, - datetime(f.btime, 'unixepoch') AS file_created_time, - f.size AS size_bytes -FROM - file f - LEFT JOIN users u ON f.uid = u.uid - LEFT JOIN groups g ON f.gid = g.gid -WHERE ( -path LIKE '/etc/systemd/system/%' OR -path LIKE '/usr/local/lib/systemd/system/%' OR -path LIKE '/lib/systemd/system/%' OR -path LIKE '/usr/lib/systemd/system/%' OR -path LIKE '/home/{{user.name}}/.config/systemd/user/%' -) +SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS +file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS +file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT +JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE +'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path +LIKE '/home/{{user.name}}/.config/systemd/user/%' ) """ [[transform.osquery]] @@ -56,13 +35,14 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" + [rule] author = ["Elastic"] description = """ -Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used -by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd -timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in -case the connection to the infected asset was lost. +Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used +by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd +timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in +case the connection to the infected asset was lost. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -130,7 +110,7 @@ This rule monitors the creation of new systemd timer files, potentially indicati """ references = [ "https://opensource.com/article/20/7/systemd-timers", - "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" + "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/", ] risk_score = 21 rule_id = "7fb500fa-8e24-4bd1-9480-2a819352602c" @@ -161,16 +141,17 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" + query = ''' host.os.type : "linux" and event.action : ("creation" or "file_create_event") and file.extension : "timer" and file.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or @@ -183,19 +164,20 @@ file.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/sy ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.006" name = "Systemd Timers" reference = "https://attack.mitre.org/techniques/T1053/006/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -204,7 +186,8 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "file.path", "process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" + + diff --git a/rules/linux/persistence_systemd_service_creation.toml b/rules/linux/persistence_systemd_service_creation.toml index a876bda25..aeacc5b90 100644 --- a/rules/linux/persistence_systemd_service_creation.toml +++ b/rules/linux/persistence_systemd_service_creation.toml @@ -2,9 +2,7 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" -min_stack_version = "8.6.0" -updated_date = "2023/12/13" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -14,38 +12,19 @@ query = "SELECT * FROM file WHERE path = {{file.path}}" [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" query = """ -SELECT * FROM file WHERE ( -path LIKE '/etc/systemd/system/%' OR -path LIKE '/usr/local/lib/systemd/system/%' OR -path LIKE '/lib/systemd/system/%' OR -path LIKE '/usr/lib/systemd/system/%' OR -path LIKE '/home/user/.config/systemd/user/%' -) +SELECT * FROM file WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE +'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE '/home/user/.config/systemd/user/%' ) """ [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT - f.path, - u.username AS file_owner, - g.groupname AS group_owner, - datetime(f.atime, 'unixepoch') AS file_last_access_time, - datetime(f.mtime, 'unixepoch') AS file_last_modified_time, - datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, - datetime(f.btime, 'unixepoch') AS file_created_time, - f.size AS size_bytes -FROM - file f - LEFT JOIN users u ON f.uid = u.uid - LEFT JOIN groups g ON f.gid = g.gid -WHERE ( -path LIKE '/etc/systemd/system/%' OR -path LIKE '/usr/local/lib/systemd/system/%' OR -path LIKE '/lib/systemd/system/%' OR -path LIKE '/usr/lib/systemd/system/%' OR -path LIKE '/home/{{user.name}}/.config/systemd/user/%' -) +SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS +file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS +file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT +JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE +'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path +LIKE '/home/{{user.name}}/.config/systemd/user/%' ) """ [[transform.osquery]] @@ -72,12 +51,13 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + [rule] author = ["Elastic"] description = """ -Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious -actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute -malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute +Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious +actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute +malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection. """ from = "now-9m" @@ -159,7 +139,7 @@ This rule monitors the creation of new systemd service files, potentially indica """ references = [ "https://opensource.com/article/20/7/systemd-timers", - "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" + "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/", ] risk_score = 47 rule_id = "17b0a495-4d9f-414c-8ad0-92f018b8e001" @@ -190,14 +170,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" @@ -219,37 +199,37 @@ not ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" @@ -258,7 +238,8 @@ reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "file.path", "process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" + + diff --git a/rules/linux/persistence_tainted_kernel_module_load.toml b/rules/linux/persistence_tainted_kernel_module_load.toml index b9bc99d66..6cabc894a 100644 --- a/rules/linux/persistence_tainted_kernel_module_load.toml +++ b/rules/linux/persistence_tainted_kernel_module_load.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/23" integration = ["system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -44,46 +42,48 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" + query = ''' host.os.type:linux and event.dataset:"system.syslog" and process.name:kernel and message:"module verification failed: signature and/or required key missing - tainting kernel" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat.technique]] -name = "Rootkit" -id = "T1014" -reference = "https://attack.mitre.org/techniques/T1014/" diff --git a/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml b/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml index 784a655fa..57ff1986c 100644 --- a/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml +++ b/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml @@ -2,14 +2,12 @@ creation_date = "2023/10/26" integration = ["system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule monitors the syslog log file for messages related to instances of a out-of-tree kernel module load, indicating +This rule monitors the syslog log file for messages related to instances of a out-of-tree kernel module load, indicating the taining of the kernel. Rootkits often leverage kernel modules as their main defense evasion technique. Detecting tainted kernel module loads is crucial for ensuring system security and integrity, as malicious or unauthorized modules can compromise the kernel and lead to system vulnerabilities or unauthorized access. @@ -44,46 +42,48 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" + query = ''' host.os.type:linux and event.dataset:"system.syslog" and process.name:kernel and message:"loading out-of-tree module taints kernel." ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -name = "Rootkit" id = "T1014" +name = "Rootkit" reference = "https://attack.mitre.org/techniques/T1014/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/persistence_udev_rule_creation.toml b/rules/linux/persistence_udev_rule_creation.toml index 219dc0dc5..bcd0e28ad 100644 --- a/rules/linux/persistence_udev_rule_creation.toml +++ b/rules/linux/persistence_udev_rule_creation.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/02/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,15 +47,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] -type = "new_terms" + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" +type = "new_terms" + query = ''' host.os.type:"linux" and event.category:"file" and event.type:("change" or "file_modify_event" or "creation" or "file_create_event") and @@ -67,14 +66,15 @@ file.path:/lib/udev/* and process.executable:* and not ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -83,7 +83,8 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "file.path"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml index c631a2d3b..6582e4663 100644 --- a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml +++ b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml @@ -2,15 +2,13 @@ creation_date = "2023/07/28" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ This rule monitors for the execution of the "chown" and "chmod" commands with command line flags that could indicate a -wildcard injection attack. Linux wildcard injection is a type of security vulnerability where attackers manipulate +wildcard injection attack. Linux wildcard injection is a type of security vulnerability where attackers manipulate commands or input containing wildcards (e.g., *, ?, []) to execute unintended operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways. """ @@ -49,49 +47,51 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name in ("chown", "chmod") and process.args == "-R" and process.args : "--reference=*" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [[rule.threat.technique.subtechnique]] id = "T1003.008" name = "/etc/passwd and /etc/shadow" reference = "https://attack.mitre.org/techniques/T1003/008/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/linux/privilege_escalation_container_util_misconfiguration.toml b/rules/linux/privilege_escalation_container_util_misconfiguration.toml index 0084ab81f..b5167a53e 100644 --- a/rules/linux/privilege_escalation_container_util_misconfiguration.toml +++ b/rules/linux/privilege_escalation_container_util_misconfiguration.toml @@ -2,18 +2,16 @@ creation_date = "2023/07/31" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule monitors for the execution of processes that interact with Linux containers through an interactive shell -without root permissions. Utilities such as runc and ctr are universal command-line utilities leveraged to interact -with containers via root permissions. On systems where the access to these utilities are misconfigured, attackers might -be able to create and run a container that mounts the root folder or spawn a privileged container vulnerable to a -container escape attack, which might allow them to escalate privileges and gain further access onto the host file system. +This rule monitors for the execution of processes that interact with Linux containers through an interactive shell +without root permissions. Utilities such as runc and ctr are universal command-line utilities leveraged to interact with +containers via root permissions. On systems where the access to these utilities are misconfigured, attackers might be +able to create and run a container that mounts the root folder or spawn a privileged container vulnerable to a container +escape attack, which might allow them to escalate privileges and gain further access onto the host file system. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -22,8 +20,8 @@ license = "Elastic License v2" name = "Potential Privilege Escalation via Container Misconfiguration" references = [ "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation", - "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation" - ] + "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation", +] risk_score = 47 rule_id = "afe6b0eb-dd9d-4922-b08a-1910124d524d" setup = """## Setup @@ -61,9 +59,17 @@ Session View uses process data collected by the Elastic Defend integration, but For more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Domain: Container", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( (process.name == "runc" and process.args == "run") or @@ -72,15 +78,17 @@ process where host.os.type == "linux" and event.type == "start" and event.action process.interactive == true and process.parent.interactive == true ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1611" name = "Escape to Host" reference = "https://attack.mitre.org/techniques/T1611/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml b/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml index dadfea901..f3fc23dbe 100644 --- a/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml +++ b/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml @@ -2,16 +2,14 @@ creation_date = "2024/01/15" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ Monitors for the execution of a file system mount followed by a chroot execution. Given enough permissions, a user within a container is capable of mounting the root file system of the host, and leveraging chroot to escape its -containarized environment. This behavior pattern is very uncommon and should be investigated. +containarized environment. This behavior pattern is very uncommon and should be investigated. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -19,8 +17,8 @@ language = "eql" license = "Elastic License v2" name = "Potential Chroot Container Escape via Mount" references = [ - "https://book.hacktricks.xyz/v/portugues-ht/linux-hardening/privilege-escalation/escaping-from-limited-bash" - ] + "https://book.hacktricks.xyz/v/portugues-ht/linux-hardening/privilege-escalation/escaping-from-limited-bash", +] risk_score = 47 rule_id = "5ae02ebc-a5de-4eac-afe6-c88de696477d" setup = """## Setup @@ -60,14 +58,15 @@ For more information about the additional fields collected when this setting is """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Domain: Container", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Domain: Container", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, process.parent.entity_id with maxspan=5m [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -77,15 +76,17 @@ sequence by host.id, process.parent.entity_id with maxspan=5m process.name == "chroot"] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1611" name = "Escape to Host" reference = "https://attack.mitre.org/techniques/T1611/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/privilege_escalation_kworker_uid_elevation.toml b/rules/linux/privilege_escalation_kworker_uid_elevation.toml index 60863460f..f17fb467f 100644 --- a/rules/linux/privilege_escalation_kworker_uid_elevation.toml +++ b/rules/linux/privilege_escalation_kworker_uid_elevation.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/21" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -51,48 +49,50 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.action == "session_id_change" and process.name : "kworker*" and user.id == "0" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique.subtechnique]] id = "T1574.013" name = "KernelCallbackTable" reference = "https://attack.mitre.org/techniques/T1574/013/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat.technique]] -name = "Rootkit" -id = "T1014" -reference = "https://attack.mitre.org/techniques/T1014/" diff --git a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml index 52c674200..c1188e26d 100644 --- a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml +++ b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/27" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/02/21" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -61,33 +59,35 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" + query = ''' host.os.type:linux and event.category:file and event.action:(updated or renamed or rename or file_rename_event) and not event.type:deletion and file.path:/etc/ld.so.preload and not process.name:(wine or oneagentinstallaction) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique.subtechnique]] id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" @@ -96,7 +96,8 @@ reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.id", "process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" + + diff --git a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml index a7983629c..17842881d 100644 --- a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml +++ b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/27" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,16 +47,17 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "ln" and process.args in ("-s", "-sf") and @@ -81,33 +80,34 @@ process.name == "ln" and process.args in ("-s", "-sf") and not user.Ext.real.id == "0" and not group.Ext.real.id == "0" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [[rule.threat.technique.subtechnique]] id = "T1003.008" name = "/etc/passwd and /etc/shadow" reference = "https://attack.mitre.org/techniques/T1003/008/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml b/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml index 26f8283c9..3cef1b9da 100644 --- a/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml +++ b/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml @@ -2,16 +2,14 @@ creation_date = "2023/07/27" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule monitors for the execution of the systemd-run command by a user with a UID that is larger than the maximum -allowed UID size (INT_MAX). Some older Linux versions were affected by a bug which allows user accounts with a UID -greater than INT_MAX to escalate privileges by spawning a shell through systemd-run. +This rule monitors for the execution of the systemd-run command by a user with a UID that is larger than the maximum +allowed UID size (INT_MAX). Some older Linux versions were affected by a bug which allows user accounts with a UID +greater than INT_MAX to escalate privileges by spawning a shell through systemd-run. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -19,9 +17,10 @@ language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via UID INT_MAX Bug Detected" references = [ - "https://twitter.com/paragonsec/status/1071152249529884674", + "https://twitter.com/paragonsec/status/1071152249529884674", "https://github.com/mirchr/security-research/blob/master/vulnerabilities/CVE-2018-19788.sh", - "https://gitlab.freedesktop.org/polkit/polkit/-/issues/74"] + "https://gitlab.freedesktop.org/polkit/polkit/-/issues/74", +] risk_score = 47 rule_id = "d55436a8-719c-445f-92c4-c113ff2f9ba5" setup = """## Setup @@ -51,29 +50,32 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "systemd-run" and process.args == "-t" and process.args_count >= 3 and user.id >= "1000000000" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml index c45f02676..9a7f5068b 100644 --- a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml +++ b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml @@ -1,19 +1,17 @@ [metadata] creation_date = "2023/06/09" -maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" integration = ["endpoint", "auditd_manager"] +maturity = "production" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential -compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different -kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures, -escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to -tamper with the system's trusted state, allowing e.g. a VM Escape. +This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential +compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different +kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures, +escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to +tamper with the system's trusted state, allowing e.g. a VM Escape. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] @@ -23,7 +21,7 @@ name = "Kernel Load or Unload via Kexec Detected" references = [ "https://www.crowdstrike.com/blog/venom-vulnerability-details/", "https://www.makeuseof.com/what-is-venom-vulnerability/", - "https://madaidans-insecurities.github.io/guides/linux-hardening.html" + "https://madaidans-insecurities.github.io/guides/linux-hardening.html", ] risk_score = 47 rule_id = "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957" @@ -54,68 +52,69 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "kexec" and process.args in ("--exec", "-e", "--load", "-l", "--unload", "-u") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1611" name = "Escape to Host" reference = "https://attack.mitre.org/techniques/T1611/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1601" name = "Modify System Image" reference = "https://attack.mitre.org/techniques/T1601/" - [[rule.threat.technique.subtechnique]] id = "T1601.001" name = "Patch System Image" reference = "https://attack.mitre.org/techniques/T1601/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml b/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml index 30b4f2fcd..75d12aa5a 100644 --- a/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml +++ b/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/05" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Linux environment variable capture feature via the Elastic Defend Integration was added in 8.6." -min_stack_version = "8.6.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -17,7 +15,9 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via CVE-2023-4911" -references = ["https://blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so"] +references = [ + "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so", +] risk_score = 73 rule_id = "6d8685a1-94fa-4ef7-83de-59302e7c4ca8" setup = """## Setup @@ -60,29 +60,32 @@ For more information on capturing environment variables refer to the [helper gui """ severity = "high" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Use Case: Vulnerability", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, process.parent.entity_id, process.executable with maxspan=5s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.env_vars : "*GLIBC_TUNABLES=glibc.*=glibc.*=*"] with runs=5 ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml b/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml index b9d7cdcdf..eeade4b3a 100644 --- a/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml +++ b/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml @@ -2,16 +2,14 @@ creation_date = "2024/01/15" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ Detects network connections initiated by the "sudo" binary. This behavior is uncommon and may occur in instances where reverse shell shellcode is injected into a process run with elevated permissions via "sudo". Attackers may attempt to -inject shellcode into processes running as root, to escalate privileges. +inject shellcode into processes running as root, to escalate privileges. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -47,45 +45,48 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "ipv4_connection_attempt_event") and process.name == "sudo" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" - [[rule.threat.technique.subtechnique]] id = "T1055.008" name = "Ptrace System Calls" reference = "https://attack.mitre.org/techniques/T1055/008/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml index 8c5e04a75..a62129ec6 100644 --- a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml +++ b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml @@ -2,16 +2,14 @@ creation_date = "2023/07/28" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ Identifies an attempt to exploit a local privilege escalation (CVE-2023-2640 and CVE-2023-32629) via a flaw in Ubuntu's modifications to OverlayFS. These flaws allow the creation of specialized executables, which, upon execution, grant the -ability to escalate privileges to root on the affected machine. +ability to escalate privileges to root on the affected machine. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -20,7 +18,8 @@ license = "Elastic License v2" name = "Potential Privilege Escalation via OverlayFS" references = [ "https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability", - "https://twitter.com/liadeliyahu/status/1684841527959273472"] + "https://twitter.com/liadeliyahu/status/1684841527959273472", +] risk_score = 73 rule_id = "b51dbc92-84e2-4af1-ba47-65183fcd0c57" setup = """## Setup @@ -49,8 +48,16 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by process.parent.entity_id, host.id with maxspan=5s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -59,15 +66,17 @@ sequence by process.parent.entity_id, host.id with maxspan=5s user.id == "0"] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml index e8467a595..ca808d172 100644 --- a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml +++ b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -46,7 +44,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml b/rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml index 3bd208412..d0bdbf799 100644 --- a/rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml +++ b/rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml @@ -1,9 +1,7 @@ [metadata] creation_date = "2023/12/11" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/17" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -30,41 +28,42 @@ As a higher-order rule (based on other detections), this rule also requires the """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Initial Access", - "Use Case: Vulnerability", - "Rule Type: Higher-Order Rule" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Initial Access", + "Use Case: Vulnerability", + "Rule Type: Higher-Order Rule", +] timestamp_override = "event.ingested" type = "threshold" + query = ''' kibana.alert.rule.rule_id:"5c81fc9d-1eae-437f-ba07-268472967013" and host.os.type:linux and event.kind:signal ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" diff --git a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml index 8353f4f69..3e3d1dbd1 100644 --- a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml +++ b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/28" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -48,8 +46,16 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Execution", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( @@ -61,28 +67,29 @@ sequence by host.id with maxspan=1s process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] by process.parent.entity_id ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml b/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml index 7a36055d1..ab68d5dbf 100644 --- a/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml +++ b/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml @@ -2,17 +2,15 @@ creation_date = "2023/08/30" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule monitors for the usage of the built-in Linux DebugFS utility to access a disk device without root permissions. -Linux users that are part of the "disk" group have sufficient privileges to access all data inside of the machine through -DebugFS. Attackers may leverage DebugFS in conjunction with "disk" permissions to read sensitive files owned by root, -such as the shadow file, root ssh private keys or other sensitive files that may allow them to further escalate +This rule monitors for the usage of the built-in Linux DebugFS utility to access a disk device without root permissions. +Linux users that are part of the "disk" group have sufficient privileges to access all data inside of the machine +through DebugFS. Attackers may leverage DebugFS in conjunction with "disk" permissions to read sensitive files owned by +root, such as the shadow file, root ssh private keys or other sensitive files that may allow them to further escalate privileges. """ from = "now-9m" @@ -20,7 +18,9 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Suspicious DebugFS Root Device Access" -references = ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#disk-group"] +references = [ + "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#disk-group", +] risk_score = 21 rule_id = "2605aa59-29ac-4662-afad-8d86257c7c91" setup = """## Setup @@ -49,29 +49,39 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "debugfs" and process.args : "/dev/sd*" and not process.args == "-R" and not user.Ext.real.id == "0" and not group.Ext.real.id == "0" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [[rule.threat.technique.subtechnique]] id = "T1078.003" name = "Local Accounts" reference = "https://attack.mitre.org/techniques/T1078/003/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/privilege_escalation_shadow_file_read.toml b/rules/linux/privilege_escalation_shadow_file_read.toml index ff3852135..52293c9bd 100644 --- a/rules/linux/privilege_escalation_shadow_file_read.toml +++ b/rules/linux/privilege_escalation_shadow_file_read.toml @@ -2,9 +2,7 @@ creation_date = "2022/09/01" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/02/21" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -48,14 +46,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" @@ -66,32 +64,32 @@ host.os.type : "linux" and event.category : "process" and event.action : ("exec" (process.executable : ("/bin/chmod" or "/usr/bin/chmod") and process.args : "640") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [[rule.threat.technique.subtechnique]] id = "T1003.008" name = "/etc/passwd and /etc/shadow" reference = "https://attack.mitre.org/techniques/T1003/008/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" @@ -100,7 +98,8 @@ reference = "https://attack.mitre.org/tactics/TA0006/" [rule.new_terms] field = "new_terms_fields" value = ["process.command_line", "host.id", "process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" + + diff --git a/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml b/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml index a5a59552e..757994326 100644 --- a/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml +++ b/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml @@ -2,16 +2,14 @@ creation_date = "2023/08/30" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule monitors for the execution of a suspicious sudo command that is leveraged in CVE-2019-14287 to escalate +This rule monitors for the execution of a suspicious sudo command that is leveraged in CVE-2019-14287 to escalate privileges to root. Sudo does not verify the presence of the designated user ID and proceeds to execute using a user ID -that can be chosen arbitrarily. By using the sudo privileges, the command "sudo -u#-1" translates to an ID of 0, +that can be chosen arbitrarily. By using the sudo privileges, the command "sudo -u#-1" translates to an ID of 0, representing the root user. This exploit may work for sudo versions prior to v1.28. """ from = "now-9m" @@ -49,31 +47,34 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", - "Use Case: Vulnerability", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Use Case: Vulnerability", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "sudo" and process.args == "-u#-1" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/privilege_escalation_sudo_hijacking.toml b/rules/linux/privilege_escalation_sudo_hijacking.toml index d87321780..cc224a4ba 100644 --- a/rules/linux/privilege_escalation_sudo_hijacking.toml +++ b/rules/linux/privilege_escalation_sudo_hijacking.toml @@ -2,15 +2,13 @@ creation_date = "2023/07/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/02/21" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may hijack the default sudo binary and -replace it with a custom binary or script that can read the user's password in clear text to escalate privileges or +Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may hijack the default sudo binary and +replace it with a custom binary or script that can read the user's password in clear text to escalate privileges or enable persistence onto the system every time the sudo binary is executed. """ from = "now-9m" @@ -54,41 +52,42 @@ tags = [ "Tactic: Privilege Escalation", "Tactic: Persistence", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" + query = ''' host.os.type:linux and event.category:file and event.type:("creation" or "file_create_event") and file.path:("/usr/bin/sudo" or "/bin/sudo") and not process.name:(docker or dockerd or pacman) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -97,7 +96,8 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.id", "process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" + + diff --git a/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml b/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml index e748504ac..83436532a 100644 --- a/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml +++ b/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml @@ -2,18 +2,16 @@ creation_date = "2023/07/31" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule detects potential sudo token manipulation attacks through process injection by monitoring the use of a -debugger (gdb) process followed by a successful uid change event during the execution of the sudo process. A sudo token +This rule detects potential sudo token manipulation attacks through process injection by monitoring the use of a +debugger (gdb) process followed by a successful uid change event during the execution of the sudo process. A sudo token manipulation attack is performed by injecting into a process that has a valid sudo token, which can then be used by -attackers to activate their own sudo token. This attack requires ptrace to be enabled in conjunction with the existence -of a living process that has a valid sudo token with the same uid as the current user. +attackers to activate their own sudo token. This attack requires ptrace to be enabled in conjunction with the existence +of a living process that has a valid sudo token with the same uid as the current user. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -49,8 +47,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, process.session_leader.entity_id with maxspan=15s [ process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -59,30 +64,32 @@ sequence by host.id, process.session_leader.entity_id with maxspan=15s process.name == "sudo" and process.user.id == "0" and process.group.id == "0" ] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" - [[rule.threat.technique.subtechnique]] id = "T1055.008" name = "Ptrace System Calls" reference = "https://attack.mitre.org/techniques/T1055/008/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml b/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml index 5e32f77ff..099c3d746 100644 --- a/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml +++ b/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml @@ -2,18 +2,16 @@ creation_date = "2023/09/05" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This detection rule monitors for the execution of a system command with setuid or setgid capabilities via Python, +This detection rule monitors for the execution of a system command with setuid or setgid capabilities via Python, followed by a uid or gid change to the root user. This sequence of events may indicate successful privilege escalation. -Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated -privileges, based on the file owner or group. Threat actors can exploit these attributes to escalate privileges to the -privileges that are set on the binary that is being executed. +Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated +privileges, based on the file owner or group. Threat actors can exploit these attributes to escalate privileges to the +privileges that are set on the binary that is being executed. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -49,8 +47,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, process.entity_id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -59,9 +64,9 @@ sequence by host.id, process.entity_id with maxspan=1s (user.id == "0" or group.id == "0")] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -71,12 +76,13 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.001" name = "Setuid and Setgid" reference = "https://attack.mitre.org/techniques/T1548/001/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml b/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml index ab23c2c48..0b8d920fc 100644 --- a/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml +++ b/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml @@ -2,9 +2,7 @@ creation_date = "2024/01/22" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/19" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -71,14 +69,15 @@ However, if more advanced configuration is required to detect specific behavior, """ severity = "medium" tags = [ - "Data Source: Auditd Manager", - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend" - ] + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, process.parent.pid with maxspan=1m [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -87,15 +86,17 @@ sequence by host.id, process.parent.pid with maxspan=1m not auditd.data.a2 == "80000" and event.outcome == "success" and user.id != "0"] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/privilege_escalation_uid_change_post_compilation.toml b/rules/linux/privilege_escalation_uid_change_post_compilation.toml index 9f8d47e5a..64e954706 100644 --- a/rules/linux/privilege_escalation_uid_change_post_compilation.toml +++ b/rules/linux/privilege_escalation_uid_change_post_compilation.toml @@ -2,15 +2,13 @@ creation_date = "2023/08/28" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent -alteration of UID permissions to root privileges. This behavior can potentially indicate the execution of a kernel or +This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent +alteration of UID permissions to root privileges. This behavior can potentially indicate the execution of a kernel or software privilege escalation exploit. """ from = "now-9m" @@ -46,8 +44,16 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id with maxspan=1m [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -60,15 +66,17 @@ sequence by host.id with maxspan=1m user.id == "0"] by process.name ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml b/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml index 91c4d09bf..f7b153258 100644 --- a/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml +++ b/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/02/21" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -48,15 +46,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" + query = ''' host.os.type:"linux" and event.category:"process" and event.action:"uid_change" and event.type:"change" and user.id:"0" and process.parent.name:("bash" or "dash" or "sh" or "tcsh" or "csh" or "zsh" or "ksh" or "fish") and not ( @@ -72,42 +71,42 @@ and process.parent.name:("bash" or "dash" or "sh" or "tcsh" or "csh" or "zsh" or ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique.subtechnique]] id = "T1574.013" name = "KernelCallbackTable" reference = "https://attack.mitre.org/techniques/T1574/013/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat.technique]] -name = "Rootkit" -id = "T1014" -reference = "https://attack.mitre.org/techniques/T1014/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "process.command_line"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + diff --git a/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml b/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml index c27fcc55b..bf460f045 100644 --- a/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml +++ b/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/30" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -63,15 +61,16 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "exec_event") and process.executable: "/usr/bin/unshare" and @@ -79,15 +78,17 @@ not process.parent.executable: ("/usr/bin/udevadm", "*/lib/systemd/systemd-udevd not process.args == "/usr/bin/snap" and not process.parent.name in ("zz-proxmox-boot", "java") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/privilege_escalation_writable_docker_socket.toml b/rules/linux/privilege_escalation_writable_docker_socket.toml index 66a4907ba..be6a9360a 100644 --- a/rules/linux/privilege_escalation_writable_docker_socket.toml +++ b/rules/linux/privilege_escalation_writable_docker_socket.toml @@ -2,16 +2,14 @@ creation_date = "2023/07/25" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule monitors for the usage of Docker runtime sockets to escalate privileges on Linux systems. Docker sockets by -default are only be writable by the root user and docker group. Attackers that have permissions to write to these -sockets may be able to create and run a container that allows them to escalate privileges and gain further access onto +This rule monitors for the usage of Docker runtime sockets to escalate privileges on Linux systems. Docker sockets by +default are only be writable by the root user and docker group. Attackers that have permissions to write to these +sockets may be able to create and run a container that allows them to escalate privileges and gain further access onto the host file system. """ from = "now-9m" @@ -19,7 +17,9 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation through Writable Docker Socket" -references = ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#automatic-enumeration-and-escape"] +references = [ + "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#automatic-enumeration-and-escape", +] risk_score = 47 rule_id = "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8" setup = """## Setup @@ -48,7 +48,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Domain: Container", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -61,15 +68,17 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) and not user.Ext.real.id : "0" and not group.Ext.real.id : "0" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1611" name = "Escape to Host" reference = "https://attack.mitre.org/techniques/T1611/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/macos/credential_access_credentials_keychains.toml b/rules/macos/credential_access_credentials_keychains.toml index ba6e92684..10a162065 100644 --- a/rules/macos/credential_access_credentials_keychains.toml +++ b/rules/macos/credential_access_credentials_keychains.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: process.Ext.effective_parent" -min_stack_version = "8.7.0" -updated_date = "2024/03/19" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -50,7 +48,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml index 36af1b87a..4eea3dcd5 100644 --- a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml +++ b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/25" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -50,7 +48,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/credential_access_dumping_keychain_security.toml b/rules/macos/credential_access_dumping_keychain_security.toml index c437c128e..e9e879c94 100644 --- a/rules/macos/credential_access_dumping_keychain_security.toml +++ b/rules/macos/credential_access_dumping_keychain_security.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/04" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -18,6 +16,9 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Dumping of Keychain Content via Security Command" +references = ["https://ss64.com/osx/security.html"] +risk_score = 73 +rule_id = "565d6ca5-75ba-4c82-9b13-add25353471c" setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -43,11 +44,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = ["https://ss64.com/osx/security.html"] -risk_score = 73 -rule_id = "565d6ca5-75ba-4c82-9b13-add25353471c" severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/credential_access_kerberosdump_kcc.toml b/rules/macos/credential_access_kerberosdump_kcc.toml index 91fb75396..ef37c8198 100644 --- a/rules/macos/credential_access_kerberosdump_kcc.toml +++ b/rules/macos/credential_access_kerberosdump_kcc.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,7 +47,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml index f0e7ef6fc..fc4b71083 100644 --- a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml +++ b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml @@ -2,9 +2,7 @@ creation_date = "2020/01/06" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/06" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -53,7 +51,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/credential_access_mitm_localhost_webproxy.toml b/rules/macos/credential_access_mitm_localhost_webproxy.toml index 1378d970a..6e915a16c 100644 --- a/rules/macos/credential_access_mitm_localhost_webproxy.toml +++ b/rules/macos/credential_access_mitm_localhost_webproxy.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/05" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: process.Ext.effective_parent" -min_stack_version = "8.7.0" -updated_date = "2024/03/19" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -50,7 +48,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml b/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml index 31068ac42..40b3b2d18 100644 --- a/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml +++ b/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/16" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/01/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -46,9 +44,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] -type = "threshold" +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" +type = "threshold" query = ''' event.category:process and host.os.type:macos and event.type:start and process.name:"sshd-keygen-wrapper" and process.parent.name:launchd diff --git a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml index 2ed4b55b6..ac83ec10a 100644 --- a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml +++ b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/16" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: process.Ext.effective_parent" -min_stack_version = "8.7.0" -updated_date = "2024/05/17" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,7 +47,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/credential_access_systemkey_dumping.toml b/rules/macos/credential_access_systemkey_dumping.toml index f61a002dc..01434aa4c 100644 --- a/rules/macos/credential_access_systemkey_dumping.toml +++ b/rules/macos/credential_access_systemkey_dumping.toml @@ -2,9 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: process.Ext.effective_parent" -min_stack_version = "8.7.0" -updated_date = "2024/02/06" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -47,7 +45,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_apple_softupdates_modification.toml b/rules/macos/defense_evasion_apple_softupdates_modification.toml index d4ff69231..44a471921 100644 --- a/rules/macos/defense_evasion_apple_softupdates_modification.toml +++ b/rules/macos/defense_evasion_apple_softupdates_modification.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/15" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -47,7 +45,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml index 5d8a845c8..651cb2eae 100644 --- a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml +++ b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml @@ -2,16 +2,14 @@ creation_date = "2020/08/14" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/17" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Detects deletion of the quarantine attribute by an unusual process (xattr). In macOS, when applications or programs are downloaded from -the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. -An adversary may disable this attribute to evade defenses. +Detects deletion of the quarantine attribute by an unusual process (xattr). In macOS, when applications or programs are +downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper +defense program at execution time. An adversary may disable this attribute to evade defenses. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -50,7 +48,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml index 9371e7606..9cf185bb7 100644 --- a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml +++ b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,7 +47,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_install_root_certificate.toml b/rules/macos/defense_evasion_install_root_certificate.toml index d20639297..c4d2d6880 100644 --- a/rules/macos/defense_evasion_install_root_certificate.toml +++ b/rules/macos/defense_evasion_install_root_certificate.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/13" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,7 +47,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml index 5323edd7f..044d6b27a 100644 --- a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml +++ b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -51,7 +49,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml index 73685fd4d..0e9e1000b 100644 --- a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml +++ b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml @@ -2,9 +2,7 @@ creation_date = "2020/01/11" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,7 +47,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/defense_evasion_safari_config_change.toml b/rules/macos/defense_evasion_safari_config_change.toml index d17b16d0b..599eef17f 100644 --- a/rules/macos/defense_evasion_safari_config_change.toml +++ b/rules/macos/defense_evasion_safari_config_change.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/14" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -47,7 +45,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml index 5fe54a81d..0c821e217 100644 --- a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml +++ b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -51,7 +49,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml index 7b51eb138..8accc83b5 100644 --- a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml +++ b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml @@ -2,9 +2,7 @@ creation_date = "2020/01/04" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -47,7 +45,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Use Case: Vulnerability", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml index dfe03dda7..332860d1f 100644 --- a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml +++ b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml @@ -2,9 +2,7 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -42,7 +40,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml index 5d903cf4d..bc38d1d38 100644 --- a/rules/macos/discovery_users_domain_built_in_commands.toml +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/12" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: process.Ext.effective_parent" -min_stack_version = "8.7.0" -updated_date = "2024/02/06" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -45,7 +43,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -84,6 +88,7 @@ id = "T1069.001" name = "Local Groups" reference = "https://attack.mitre.org/techniques/T1069/001/" + [[rule.threat.technique]] id = "T1087" name = "Account Discovery" @@ -93,6 +98,8 @@ id = "T1087.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1087/001/" + + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml index 01c2ed6cf..37396801e 100644 --- a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml +++ b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml @@ -2,9 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -50,7 +48,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml index 698e23e30..a0c384dc8 100644 --- a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml +++ b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/07" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -50,7 +48,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/execution_installer_package_spawned_network_event.toml b/rules/macos/execution_installer_package_spawned_network_event.toml index 1638639bb..2e53cc222 100644 --- a/rules/macos/execution_installer_package_spawned_network_event.toml +++ b/rules/macos/execution_installer_package_spawned_network_event.toml @@ -2,9 +2,7 @@ creation_date = "2021/02/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/07" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -59,7 +57,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Command and Control", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Command and Control", + "Data Source: Elastic Defend", +] type = "eql" query = ''' diff --git a/rules/macos/execution_script_via_automator_workflows.toml b/rules/macos/execution_script_via_automator_workflows.toml index 136bfe590..55faccc41 100644 --- a/rules/macos/execution_script_via_automator_workflows.toml +++ b/rules/macos/execution_script_via_automator_workflows.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -47,7 +45,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", +] type = "eql" query = ''' diff --git a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml index b1f11d979..d643bd904 100644 --- a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml +++ b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,7 +47,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Tactic: Execution", + "Data Source: Elastic Defend", +] type = "eql" query = ''' diff --git a/rules/macos/execution_shell_execution_via_apple_scripting.toml b/rules/macos/execution_shell_execution_via_apple_scripting.toml index a7a99bdb5..c0c517e9e 100644 --- a/rules/macos/execution_shell_execution_via_apple_scripting.toml +++ b/rules/macos/execution_shell_execution_via_apple_scripting.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/07" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,7 +47,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", +] type = "eql" query = ''' diff --git a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml index 5d97ac011..9013d41a7 100644 --- a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml +++ b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml @@ -2,9 +2,7 @@ creation_date = "2020/01/12" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -46,7 +44,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/lateral_movement_mounting_smb_share.toml b/rules/macos/lateral_movement_mounting_smb_share.toml index 226042e14..567c47b24 100644 --- a/rules/macos/lateral_movement_mounting_smb_share.toml +++ b/rules/macos/lateral_movement_mounting_smb_share.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/25" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -46,7 +44,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml index 3e6f70a97..c312d9699 100644 --- a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml +++ b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -47,7 +45,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/lateral_movement_vpn_connection_attempt.toml b/rules/macos/lateral_movement_vpn_connection_attempt.toml index f54ba8e70..6388074a4 100644 --- a/rules/macos/lateral_movement_vpn_connection_attempt.toml +++ b/rules/macos/lateral_movement_vpn_connection_attempt.toml @@ -2,9 +2,7 @@ creation_date = "2020/01/25" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -50,7 +48,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_account_creation_hide_at_logon.toml b/rules/macos/persistence_account_creation_hide_at_logon.toml index 841b7e479..88551bdc5 100644 --- a/rules/macos/persistence_account_creation_hide_at_logon.toml +++ b/rules/macos/persistence_account_creation_hide_at_logon.toml @@ -2,9 +2,7 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -46,7 +44,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_creation_change_launch_agents_file.toml b/rules/macos/persistence_creation_change_launch_agents_file.toml index 1b0f3cb86..043c9618c 100644 --- a/rules/macos/persistence_creation_change_launch_agents_file.toml +++ b/rules/macos/persistence_creation_change_launch_agents_file.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,7 +47,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] type = "eql" query = ''' diff --git a/rules/macos/persistence_creation_hidden_login_item_osascript.toml b/rules/macos/persistence_creation_hidden_login_item_osascript.toml index 776e53467..1b48ca3d7 100644 --- a/rules/macos/persistence_creation_hidden_login_item_osascript.toml +++ b/rules/macos/persistence_creation_hidden_login_item_osascript.toml @@ -2,9 +2,7 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -45,7 +43,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml index a6aeb4b28..0c3009d0c 100644 --- a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml +++ b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,7 +47,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] type = "eql" query = ''' diff --git a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml index 7b3faa66c..86b2ab22a 100644 --- a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml +++ b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/13" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/07" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -50,7 +48,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_crontab_creation.toml b/rules/macos/persistence_crontab_creation.toml index d0f9b622d..b8396765b 100644 --- a/rules/macos/persistence_crontab_creation.toml +++ b/rules/macos/persistence_crontab_creation.toml @@ -2,9 +2,7 @@ creation_date = "2022/04/25" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,7 +47,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml index dde96a35b..669416509 100644 --- a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml +++ b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -50,7 +48,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_directory_services_plugins_modification.toml b/rules/macos/persistence_directory_services_plugins_modification.toml index 182980687..6212dfc74 100644 --- a/rules/macos/persistence_directory_services_plugins_modification.toml +++ b/rules/macos/persistence_directory_services_plugins_modification.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/13" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -47,7 +45,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_docker_shortcuts_plist_modification.toml b/rules/macos/persistence_docker_shortcuts_plist_modification.toml index 06cb5f257..25ac05e33 100644 --- a/rules/macos/persistence_docker_shortcuts_plist_modification.toml +++ b/rules/macos/persistence_docker_shortcuts_plist_modification.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/18" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/07" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -48,7 +46,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_emond_rules_file_creation.toml b/rules/macos/persistence_emond_rules_file_creation.toml index 98d49da56..e6bbcdc0b 100644 --- a/rules/macos/persistence_emond_rules_file_creation.toml +++ b/rules/macos/persistence_emond_rules_file_creation.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,7 +47,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_emond_rules_process_execution.toml b/rules/macos/persistence_emond_rules_process_execution.toml index 54d9a2796..c597f0d3f 100644 --- a/rules/macos/persistence_emond_rules_process_execution.toml +++ b/rules/macos/persistence_emond_rules_process_execution.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -47,7 +45,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_enable_root_account.toml b/rules/macos/persistence_enable_root_account.toml index 071bdeec6..47a4bdcfe 100644 --- a/rules/macos/persistence_enable_root_account.toml +++ b/rules/macos/persistence_enable_root_account.toml @@ -2,9 +2,7 @@ creation_date = "2020/01/04" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -46,7 +44,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml index 91ca171a5..0b84f1c37 100644 --- a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml +++ b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml @@ -2,9 +2,7 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -48,7 +46,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_folder_action_scripts_runtime.toml b/rules/macos/persistence_folder_action_scripts_runtime.toml index 2ab486933..18b114cfa 100644 --- a/rules/macos/persistence_folder_action_scripts_runtime.toml +++ b/rules/macos/persistence_folder_action_scripts_runtime.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/07" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -47,7 +45,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_login_logout_hooks_defaults.toml b/rules/macos/persistence_login_logout_hooks_defaults.toml index 27b66280d..b0ef9cdda 100644 --- a/rules/macos/persistence_login_logout_hooks_defaults.toml +++ b/rules/macos/persistence_login_logout_hooks_defaults.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,7 +47,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_loginwindow_plist_modification.toml b/rules/macos/persistence_loginwindow_plist_modification.toml index 7abf4edf7..f75f8d191 100644 --- a/rules/macos/persistence_loginwindow_plist_modification.toml +++ b/rules/macos/persistence_loginwindow_plist_modification.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/19" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,7 +47,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml index 2a42dcc35..b83bfe38a 100644 --- a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml +++ b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -46,7 +44,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_periodic_tasks_file_mdofiy.toml b/rules/macos/persistence_periodic_tasks_file_mdofiy.toml index b27ce05a7..fda11158c 100644 --- a/rules/macos/persistence_periodic_tasks_file_mdofiy.toml +++ b/rules/macos/persistence_periodic_tasks_file_mdofiy.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -50,7 +48,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml index 7509ec421..c2c9d4d7c 100644 --- a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml +++ b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/05" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -58,7 +56,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_screensaver_plist_file_modification.toml b/rules/macos/persistence_screensaver_plist_file_modification.toml index 09eaadca5..f7280bcfa 100644 --- a/rules/macos/persistence_screensaver_plist_file_modification.toml +++ b/rules/macos/persistence_screensaver_plist_file_modification.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/05" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -56,7 +54,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_suspicious_calendar_modification.toml b/rules/macos/persistence_suspicious_calendar_modification.toml index 11859698a..d9e648f11 100644 --- a/rules/macos/persistence_suspicious_calendar_modification.toml +++ b/rules/macos/persistence_suspicious_calendar_modification.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -51,7 +49,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_via_atom_init_file_modification.toml b/rules/macos/persistence_via_atom_init_file_modification.toml index 47d8aa87a..f28167881 100644 --- a/rules/macos/persistence_via_atom_init_file_modification.toml +++ b/rules/macos/persistence_via_atom_init_file_modification.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,7 +47,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml index 5cd2ed8d6..b05b7f042 100644 --- a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml +++ b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -50,7 +48,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml b/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml index 62f86ac76..2fbd033a2 100644 --- a/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml +++ b/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -56,7 +54,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/privilege_escalation_root_crontab_filemod.toml b/rules/macos/privilege_escalation_root_crontab_filemod.toml index 619fe2872..3e51714cd 100644 --- a/rules/macos/privilege_escalation_root_crontab_filemod.toml +++ b/rules/macos/privilege_escalation_root_crontab_filemod.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/27" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,7 +47,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml index 757b1664c..11ced2586 100644 --- a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml +++ b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/27" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -30,9 +28,13 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "91f02f01-969f-4167-8f66-07827ac3bdd9" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"] +tags = [ + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Command and Control", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -45,3 +47,4 @@ reference = "https://attack.mitre.org/techniques/T1572/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml b/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml index 43d92a099..7a9331936 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/27" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -33,23 +31,28 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "746edc4c-c54c-49c6-97a1-651223819448" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"] +tags = [ + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Command and Control", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.004" +name = "DNS" +reference = "https://attack.mitre.org/techniques/T1071/004/" - [[rule.threat.technique.subtechnique]] - id = "T1071.004" - name = "DNS" - reference = "https://attack.mitre.org/techniques/T1071/004/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml index c68d24c04..f5f645da5 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/27" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -36,22 +34,25 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "91f02f01-969f-4167-8f55-07827ac3acc9" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"] +tags = [ + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Command and Control", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" - [[rule.threat.technique.subtechnique]] - id = "T1071.001" - name = "Web Protocols" - reference = "https://attack.mitre.org/techniques/T1071/001/" - [rule.threat.tactic] id = "TA0011" diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml b/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml index 449a6ff3e..80d1ea8c1 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/27" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -34,22 +32,25 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "91f02f01-969f-4167-8d77-07827ac4cee0" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"] +tags = [ + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Command and Control", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" - [[rule.threat.technique.subtechnique]] - id = "T1071.001" - name = "Web Protocols" - reference = "https://attack.mitre.org/techniques/T1071/001/" - [rule.threat.tactic] id = "TA0011" diff --git a/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml b/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml index 7d5f0f82d..b1686ca28 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml @@ -2,9 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -60,9 +58,15 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "99dcf974-6587-4f65-9252-d866a3fdfd9c" severity = "low" -tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Credential Access", + "Resources: Investigation Guide", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -74,4 +78,5 @@ reference = "https://attack.mitre.org/techniques/T1110/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml index 108d1f6a6..7bef2ab7d 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml @@ -2,9 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -28,9 +26,14 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9" severity = "low" -tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"] +tags = [ + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Credential Access", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -42,4 +45,5 @@ reference = "https://attack.mitre.org/techniques/T1110/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml index 5a7340a19..a7db16692 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml @@ -2,16 +2,14 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job found an unusually large spike in successful authentication events from a particular -source IP address. This can be due to password spraying, user enumeration or brute force activity. +A machine learning job found an unusually large spike in successful authentication events from a particular source IP +address. This can be due to password spraying, user enumeration or brute force activity. """ false_positives = [ """ @@ -53,9 +51,16 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "e26aed74-c816-40d3-a810-48d6fbd8b2fd" severity = "low" -tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Credential Access", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -78,11 +83,14 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" + [[rule.threat.technique.subtechnique]] id = "T1078.003" name = "Local Accounts" reference = "https://attack.mitre.org/techniques/T1078/003/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml b/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml index 208bb5ed2..99b868e36 100644 --- a/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml +++ b/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/22" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -27,20 +25,26 @@ name = "Unusual Linux Process Calling the Metadata Service" risk_score = 21 rule_id = "9d302377-d226-4e12-b54c-1906b5aec4f6" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Credential Access", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" +[[rule.threat.technique.subtechnique]] +id = "T1552.005" +name = "Cloud Instance Metadata API" +reference = "https://attack.mitre.org/techniques/T1552/005/" - [[rule.threat.technique.subtechnique]] - id = "T1552.005" - name = "Cloud Instance Metadata API" - reference = "https://attack.mitre.org/techniques/T1552/005/" [rule.threat.tactic] diff --git a/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml b/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml index 70948500d..c9b15fd47 100644 --- a/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml +++ b/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/22" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -27,23 +25,30 @@ name = "Unusual Linux User Calling the Metadata Service" risk_score = 21 rule_id = "1faec04b-d902-4f89-8aff-92cd9043c16f" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Credential Access", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" +[[rule.threat.technique.subtechnique]] +id = "T1552.005" +name = "Cloud Instance Metadata API" +reference = "https://attack.mitre.org/techniques/T1552/005/" - [[rule.threat.technique.subtechnique]] - id = "T1552.005" - name = "Cloud Instance Metadata API" - reference = "https://attack.mitre.org/techniques/T1552/005/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/ml/credential_access_ml_suspicious_login_activity.toml b/rules/ml/credential_access_ml_suspicious_login_activity.toml index 3520d541d..ce9acc370 100644 --- a/rules/ml/credential_access_ml_suspicious_login_activity.toml +++ b/rules/ml/credential_access_ml_suspicious_login_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -25,9 +23,14 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "4330272b-9724-4bc6-a3ca-f1532b81e5c2" severity = "low" -tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"] +tags = [ + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Credential Access", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml index 2885596e7..708f48dd6 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/22" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -27,24 +25,30 @@ name = "Unusual Windows Process Calling the Metadata Service" risk_score = 21 rule_id = "abae61a8-c560-4dbd-acca-1e1438bff36b" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Credential Access", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" +[[rule.threat.technique.subtechnique]] +id = "T1552.005" +name = "Cloud Instance Metadata API" +reference = "https://attack.mitre.org/techniques/T1552/005/" - [[rule.threat.technique.subtechnique]] - id = "T1552.005" - name = "Cloud Instance Metadata API" - reference = "https://attack.mitre.org/techniques/T1552/005/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml index 4ef68ed70..783424170 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/22" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -27,24 +25,30 @@ name = "Unusual Windows User Calling the Metadata Service" risk_score = 21 rule_id = "df197323-72a8-46a9-a08e-3f5b04a4a97a" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Credential Access", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" +[[rule.threat.technique.subtechnique]] +id = "T1552.005" +name = "Cloud Instance Metadata API" +reference = "https://attack.mitre.org/techniques/T1552/005/" - [[rule.threat.technique.subtechnique]] - id = "T1552.005" - name = "Cloud Instance Metadata API" - reference = "https://attack.mitre.org/techniques/T1552/005/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/ml/discovery_ml_linux_system_information_discovery.toml b/rules/ml/discovery_ml_linux_system_information_discovery.toml index ed009b873..c79652052 100644 --- a/rules/ml/discovery_ml_linux_system_information_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_information_discovery.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -29,7 +27,14 @@ name = "Unusual Linux System Information Discovery Activity" risk_score = 21 rule_id = "d4af3a06-1e0a-48ec-b96a-faf2309fae46" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Discovery", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml b/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml index 8dde1a9c8..016916bf3 100644 --- a/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/27" +updated_date = "2024/05/21" [rule] anomaly_threshold = 25 @@ -29,7 +27,14 @@ name = "Unusual Linux Network Configuration Discovery" risk_score = 21 rule_id = "f9590f47-6bd5-4a49-bd49-a2f886476fb9" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Discovery", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml b/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml index d92e316c9..240ea84f8 100644 --- a/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 25 @@ -29,7 +27,14 @@ name = "Unusual Linux Network Connection Discovery" risk_score = 21 rule_id = "c28c4d8c-f014-40ef-88b6-79a1d67cd499" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Discovery", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/discovery_ml_linux_system_process_discovery.toml b/rules/ml/discovery_ml_linux_system_process_discovery.toml index 13dc66315..236077e31 100644 --- a/rules/ml/discovery_ml_linux_system_process_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_process_discovery.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -29,7 +27,14 @@ name = "Unusual Linux Process Discovery Activity" risk_score = 21 rule_id = "5c983105-4681-46c3-9890-0c66d05e776b" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Discovery", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/discovery_ml_linux_system_user_discovery.toml b/rules/ml/discovery_ml_linux_system_user_discovery.toml index 8ef069586..fedcc0308 100644 --- a/rules/ml/discovery_ml_linux_system_user_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_user_discovery.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -29,7 +27,14 @@ name = "Unusual Linux User Discovery Activity" risk_score = 21 rule_id = "59756272-1998-4b8c-be14-e287035c4d10" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Discovery", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/execution_ml_windows_anomalous_script.toml b/rules/ml/execution_ml_windows_anomalous_script.toml index 9d4ac076c..6818f720d 100644 --- a/rules/ml/execution_ml_windows_anomalous_script.toml +++ b/rules/ml/execution_ml_windows_anomalous_script.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -26,28 +24,35 @@ machine_learning_job_id = ["v3_windows_anomalous_script"] name = "Suspicious Powershell Script" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"] + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] risk_score = 21 rule_id = "1781d055-5c66-4adf-9d60-fc0fa58337b6" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Execution"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Execution", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique.subtechnique]] - id = "T1059.001" - name = "PowerShell" - reference = "https://attack.mitre.org/techniques/T1059/001/" - [rule.threat.tactic] id = "TA0002" name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml b/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml index 62b9e5aa4..5c318758f 100644 --- a/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml +++ b/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml @@ -2,9 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -47,9 +45,15 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "745b0119-0560-43ba-860a-7235dd8cee8d" severity = "low" -tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Initial Access", + "Resources: Investigation Guide", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -62,3 +66,4 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml b/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml index 8246bb110..5a1520d9f 100644 --- a/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml +++ b/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml @@ -2,9 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -25,9 +23,14 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "d4b73fa0-9d43-465e-b8bf-50230da6718b" severity = "low" -tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"] +tags = [ + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Initial Access", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -40,3 +43,4 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/ml/initial_access_ml_auth_rare_user_logon.toml b/rules/ml/initial_access_ml_auth_rare_user_logon.toml index d8d0e3fb3..18af4302f 100644 --- a/rules/ml/initial_access_ml_auth_rare_user_logon.toml +++ b/rules/ml/initial_access_ml_auth_rare_user_logon.toml @@ -2,17 +2,15 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ A machine learning job found an unusual user name in the authentication logs. An unusual user name is one way of -detecting credentialed access by means of a new or dormant user account. An inactive user account (because the user -has left the organization) that becomes active may be due to credentialed access using a compromised account password. +detecting credentialed access by means of a new or dormant user account. An inactive user account (because the user has +left the organization) that becomes active may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application. """ false_positives = [ @@ -54,9 +52,15 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "138c5dd5-838b-446e-b1ac-c995c7f8108a" severity = "low" -tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Initial Access", + "Resources: Investigation Guide", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -67,12 +71,16 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" + [[rule.threat.technique.subtechnique]] id = "T1078.003" name = "Local Accounts" reference = "https://attack.mitre.org/techniques/T1078/003/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/ml/initial_access_ml_linux_anomalous_user_name.toml b/rules/ml/initial_access_ml_linux_anomalous_user_name.toml index 686ef15bb..bc5582d14 100644 --- a/rules/ml/initial_access_ml_linux_anomalous_user_name.toml +++ b/rules/ml/initial_access_ml_linux_anomalous_user_name.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -41,9 +39,15 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "b347b919-665f-4aac-b9e8-68369bf2340c" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Initial Access", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/ml/initial_access_ml_windows_anomalous_user_name.toml b/rules/ml/initial_access_ml_windows_anomalous_user_name.toml index ffd6ad723..7bae0eb98 100644 --- a/rules/ml/initial_access_ml_windows_anomalous_user_name.toml +++ b/rules/ml/initial_access_ml_windows_anomalous_user_name.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -42,9 +40,15 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "1781d055-5c66-4adf-9c59-fc0fa58336a5" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Initial Access", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -55,11 +59,14 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" + [[rule.threat.technique.subtechnique]] id = "T1078.003" name = "Local Accounts" reference = "https://attack.mitre.org/techniques/T1078/003/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" diff --git a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml index b5289e0ad..66e6ed0a0 100644 --- a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml +++ b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -35,9 +33,15 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "1781d055-5c66-4adf-9e93-fc0fa69550c9" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Initial Access", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -49,4 +53,5 @@ reference = "https://attack.mitre.org/techniques/T1078/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/ml/ml_high_count_network_denies.toml b/rules/ml/ml_high_count_network_denies.toml index 22fb46f58..e953addcf 100644 --- a/rules/ml/ml_high_count_network_denies.toml +++ b/rules/ml/ml_high_count_network_denies.toml @@ -2,25 +2,23 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/27" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job detected an unusually large spike in network traffic that was -denied by network access control lists (ACLs) or firewall rules. Such a burst of denied traffic is usually caused by -either 1) a mis-configured application or firewall or 2) suspicious or malicious activity. -Unsuccessful attempts at network transit, in order to connect to command-and-control (C2), -or engage in data exfiltration, may produce a burst of failed connections. This could also -be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service -attacks or traffic floods may also produce such a surge in traffic. +A machine learning job detected an unusually large spike in network traffic that was denied by network access control +lists (ACLs) or firewall rules. Such a burst of denied traffic is usually caused by either 1) a mis-configured +application or firewall or 2) suspicious or malicious activity. Unsuccessful attempts at network transit, in order to +connect to command-and-control (C2), or engage in data exfiltration, may produce a burst of failed connections. This +could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or +traffic floods may also produce such a surge in traffic. """ false_positives = [ """ - A misconfgured network application or firewall may trigger this alert. Security scans or test cycles may trigger this alert. + A misconfgured network application or firewall may trigger this alert. Security scans or test cycles may trigger + this alert. """, ] from = "now-30m" @@ -32,5 +30,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "eaa77d63-9679-4ce3-be25-3ba8b795e5fa" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"] type = "machine_learning" + diff --git a/rules/ml/ml_high_count_network_events.toml b/rules/ml/ml_high_count_network_events.toml index 6679f4147..1218c64e5 100644 --- a/rules/ml/ml_high_count_network_events.toml +++ b/rules/ml/ml_high_count_network_events.toml @@ -2,25 +2,22 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/27" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic, -if not caused by a surge in business activity, can be due to suspicious or malicious activity. -Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually -large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may -also produce such a surge in traffic. +A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic, if not caused by a +surge in business activity, can be due to suspicious or malicious activity. Large-scale data exfiltration may produce a +burst of network traffic; this could also be due to unusually large amounts of reconnaissance or enumeration traffic. +Denial-of-service attacks or traffic floods may also produce such a surge in traffic. """ false_positives = [ """ - Business workflows that occur very occasionally, and involve an unusual surge in network traffic, - can trigger this alert. A new business workflow or a surge in business activity may trigger this alert. - A misconfigured network application or firewall may trigger this alert. + Business workflows that occur very occasionally, and involve an unusual surge in network traffic, can trigger this + alert. A new business workflow or a surge in business activity may trigger this alert. A misconfigured network + application or firewall may trigger this alert. """, ] from = "now-30m" @@ -32,5 +29,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "b240bfb8-26b7-4e5e-924e-218144a3fa71" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"] type = "machine_learning" + diff --git a/rules/ml/ml_linux_anomalous_network_activity.toml b/rules/ml/ml_linux_anomalous_network_activity.toml index b1e96b676..97ddd9a53 100644 --- a/rules/ml/ml_linux_anomalous_network_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -34,6 +32,12 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "52afbdc5-db15-485e-bc24-f5707f820c4b" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", +] type = "machine_learning" diff --git a/rules/ml/ml_linux_anomalous_network_port_activity.toml b/rules/ml/ml_linux_anomalous_network_port_activity.toml index c27a15a5c..8b0838f66 100644 --- a/rules/ml/ml_linux_anomalous_network_port_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_port_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -24,6 +22,12 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "3c7e32e6-6104-46d9-a06e-da0f8b5795a0" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", +] type = "machine_learning" diff --git a/rules/ml/ml_packetbeat_rare_server_domain.toml b/rules/ml/ml_packetbeat_rare_server_domain.toml index 4dcc51b2f..f8623cc1f 100644 --- a/rules/ml/ml_packetbeat_rare_server_domain.toml +++ b/rules/ml/ml_packetbeat_rare_server_domain.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/27" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -33,6 +31,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "17e68559-b274-4948-ad0b-f8415bb31126" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"] type = "machine_learning" diff --git a/rules/ml/ml_rare_destination_country.toml b/rules/ml/ml_rare_destination_country.toml index 875c9fe09..b496dfbd4 100644 --- a/rules/ml/ml_rare_destination_country.toml +++ b/rules/ml/ml_rare_destination_country.toml @@ -2,30 +2,26 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/27" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job detected a rare destination country name in the network logs. -This can be due to initial access, persistence, command-and-control, or exfiltration activity. -For example, when a user clicks on a link in a phishing email or opens a malicious document, -a request may be sent to download and run a payload from a server in a country which does not -normally appear in network traffic or business work-flows. Malware instances and persistence -mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, -which may be an unusual destination country for the source network. +A machine learning job detected a rare destination country name in the network logs. This can be due to initial access, +persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing +email or opens a malicious document, a request may be sent to download and run a payload from a server in a country +which does not normally appear in network traffic or business work-flows. Malware instances and persistence mechanisms +may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual +destination country for the source network. """ false_positives = [ """ - Business workflows that occur very occasionally, and involve a business relationship with an - organization in a country that does not routinely appear in network events, can trigger this alert. - A new business workflow with an organization in a country with which no workflows previously - existed may trigger this alert - although the model will learn that the new destination country - is no longer anomalous as the activity becomes ongoing. Business travelers who roam to many - countries for brief periods may trigger this alert. + Business workflows that occur very occasionally, and involve a business relationship with an organization in a + country that does not routinely appear in network events, can trigger this alert. A new business workflow with an + organization in a country with which no workflows previously existed may trigger this alert - although the model + will learn that the new destination country is no longer anomalous as the activity becomes ongoing. Business + travelers who roam to many countries for brief periods may trigger this alert. """, ] from = "now-30m" @@ -37,5 +33,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "35f86980-1fb1-4dff-b311-3be941549c8d" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"] type = "machine_learning" + diff --git a/rules/ml/ml_spike_in_traffic_to_a_country.toml b/rules/ml/ml_spike_in_traffic_to_a_country.toml index 7e7d8b459..9066dda24 100644 --- a/rules/ml/ml_spike_in_traffic_to_a_country.toml +++ b/rules/ml/ml_spike_in_traffic_to_a_country.toml @@ -2,9 +2,7 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/27" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -18,10 +16,10 @@ infrastructure in their country of origin, which may be an unusual destination c """ false_positives = [ """ - Business workflows that occur very occasionally, and involve an unusual surge in network traffic - to one destination country, can trigger this alert. A new business workflow or a surge in business - activity in a particular country may trigger this alert. Business travelers who roam to many - countries for brief periods may trigger this alert if they engage in volumetric network activity. + Business workflows that occur very occasionally, and involve an unusual surge in network traffic to one destination + country, can trigger this alert. A new business workflow or a surge in business activity in a particular country may + trigger this alert. Business travelers who roam to many countries for brief periods may trigger this alert if they + engage in volumetric network activity. """, ] from = "now-30m" @@ -70,5 +68,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "c7db5533-ca2a-41f6-a8b0-ee98abe0f573" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"] type = "machine_learning" + diff --git a/rules/ml/ml_windows_anomalous_network_activity.toml b/rules/ml/ml_windows_anomalous_network_activity.toml index 338892739..56b7637a3 100644 --- a/rules/ml/ml_windows_anomalous_network_activity.toml +++ b/rules/ml/ml_windows_anomalous_network_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -37,6 +35,12 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "ba342eb2-583c-439f-b04d-1fdd7c1417cc" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", +] type = "machine_learning" diff --git a/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml index 75f0ca416..8de5f2864 100644 --- a/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -66,24 +64,31 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "647fc812-7996-4795-8869-9c4ea595fe88" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Persistence", + "Resources: Investigation Guide", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" - [[rule.threat.technique.subtechnique]] - id = "T1543.003" - name = "Windows Service" - reference = "https://attack.mitre.org/techniques/T1543/003/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/ml/persistence_ml_rare_process_by_host_linux.toml b/rules/ml/persistence_ml_rare_process_by_host_linux.toml index a5e44c9f7..224077d6f 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_linux.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_linux.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -66,24 +64,30 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "46f804f5-b289-43d6-a881-9387cf594f75" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Persistence", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique.subtechnique]] +id = "T1543.002" +name = "Systemd Service" +reference = "https://attack.mitre.org/techniques/T1543/002/" - [[rule.threat.technique.subtechnique]] - id = "T1543.002" - name = "Systemd Service" - reference = "https://attack.mitre.org/techniques/T1543/002/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/ml/persistence_ml_rare_process_by_host_windows.toml b/rules/ml/persistence_ml_rare_process_by_host_windows.toml index 93bfc627f..280215b6f 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_windows.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_windows.toml @@ -2,26 +2,33 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] - [[transform.osquery]] - label = "Osquery - Retrieve DNS Cache" - query = "SELECT * FROM dns_cache" +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" - [[transform.osquery]] - label = "Osquery - Retrieve All Services" - query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" - [[transform.osquery]] - label = "Osquery - Retrieve Services Running on User Accounts" - query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)" +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Retrieve Service Unisgned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" - [[transform.osquery]] - label = "Retrieve Service Unisgned Executables with Virustotal Link" - query = "SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'" [rule] anomaly_threshold = 50 @@ -107,22 +114,28 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "6d448b96-c922-4adb-b51c-b767f1ea5b76" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Persistence", + "Resources: Investigation Guide", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" - [[rule.threat.technique.subtechnique]] - id = "T1543.003" - name = "Windows Service" - reference = "https://attack.mitre.org/techniques/T1543/003/" - [rule.threat.tactic] id = "TA0003" diff --git a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml index b326a14ac..dbcb5d48c 100644 --- a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml +++ b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -31,22 +29,28 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "445a342e-03fb-42d0-8656-0367eb2dead5" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Tactic: Execution"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Persistence", + "Tactic: Execution", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" - [[rule.threat.technique.subtechnique]] - id = "T1543.003" - name = "Windows Service" - reference = "https://attack.mitre.org/techniques/T1543/003/" - [rule.threat.tactic] id = "TA0003" @@ -58,13 +62,12 @@ framework = "MITRE ATT&CK" id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" - [[rule.threat.technique.subtechnique]] - id = "T1204.002" - name = "Malicious File" - reference = "https://attack.mitre.org/techniques/T1204/002/" - [rule.threat.tactic] id = "TA0002" diff --git a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml index dd5bcb424..b3a28a2b7 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -116,7 +114,15 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "6e40d56f-5c0e-4ac6-aece-bee96645b172" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Tactic: Execution"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Persistence", + "Tactic: Execution", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml index f6c915343..e7d43de5e 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -119,7 +117,15 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Persistence", + "Resources: Investigation Guide", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/persistence_ml_windows_anomalous_service.toml b/rules/ml/persistence_ml_windows_anomalous_service.toml index 301458aae..ebd2420f3 100644 --- a/rules/ml/persistence_ml_windows_anomalous_service.toml +++ b/rules/ml/persistence_ml_windows_anomalous_service.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -29,24 +27,30 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "1781d055-5c66-4adf-9c71-fc0fa58338c7" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Persistence", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" - [[rule.threat.technique.subtechnique]] - id = "T1543.003" - name = "Windows Service" - reference = "https://attack.mitre.org/techniques/T1543/003/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml b/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml index 93d94089a..adc9dacab 100644 --- a/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml +++ b/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -27,7 +25,14 @@ name = "Unusual Sudo Activity" risk_score = 21 rule_id = "1e9fc667-9ff1-4b33-9f40-fefca8537eb0" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Privilege Escalation"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml index 9aa047528..621759437 100644 --- a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml +++ b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -29,12 +27,20 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "1781d055-5c66-4adf-9d82-fc0fa58449c8" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Privilege Escalation"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml index 03c4d43ef..ca7bed0a2 100644 --- a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml +++ b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -28,22 +26,30 @@ name = "Anomalous Linux Compiler Activity" risk_score = 21 rule_id = "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Resource Development"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Resource Development", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1588" name = "Obtain Capabilities" reference = "https://attack.mitre.org/techniques/T1588/" +[[rule.threat.technique.subtechnique]] +id = "T1588.001" +name = "Malware" +reference = "https://attack.mitre.org/techniques/T1588/001/" + - [[rule.threat.technique.subtechnique]] - id = "T1588.001" - name = "Malware" - reference = "https://attack.mitre.org/techniques/T1588/001/" [rule.threat.tactic] id = "TA0042" name = "Resource Development" -reference = "https://attack.mitre.org/tactics/TA0042/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0042/" + diff --git a/rules/network/command_and_control_accepted_default_telnet_port_connection.toml b/rules/network/command_and_control_accepted_default_telnet_port_connection.toml index 276db49d0..832e6fb03 100644 --- a/rules/network/command_and_control_accepted_default_telnet_port_connection.toml +++ b/rules/network/command_and_control_accepted_default_telnet_port_connection.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/01" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_cobalt_strike_beacon.toml b/rules/network/command_and_control_cobalt_strike_beacon.toml index de5520737..be1409663 100644 --- a/rules/network/command_and_control_cobalt_strike_beacon.toml +++ b/rules/network/command_and_control_cobalt_strike_beacon.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/06" integration = ["network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml index facaf30f0..6086b36e1 100644 --- a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml +++ b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/05" integration = ["network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/01" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_download_rar_powershell_from_internet.toml b/rules/network/command_and_control_download_rar_powershell_from_internet.toml index fbade0aa6..22f2f919a 100644 --- a/rules/network/command_and_control_download_rar_powershell_from_internet.toml +++ b/rules/network/command_and_control_download_rar_powershell_from_internet.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/02" integration = ["network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/01" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_fin7_c2_behavior.toml b/rules/network/command_and_control_fin7_c2_behavior.toml index f4e43921e..5766270a1 100644 --- a/rules/network/command_and_control_fin7_c2_behavior.toml +++ b/rules/network/command_and_control_fin7_c2_behavior.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/06" integration = ["network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/21" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_halfbaked_beacon.toml b/rules/network/command_and_control_halfbaked_beacon.toml index 3cbbd7070..db956efc0 100644 --- a/rules/network/command_and_control_halfbaked_beacon.toml +++ b/rules/network/command_and_control_halfbaked_beacon.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/06" integration = ["network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_nat_traversal_port_activity.toml b/rules/network/command_and_control_nat_traversal_port_activity.toml index 8c76d249a..94a0c4750 100644 --- a/rules/network/command_and_control_nat_traversal_port_activity.toml +++ b/rules/network/command_and_control_nat_traversal_port_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/17" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_port_26_activity.toml b/rules/network/command_and_control_port_26_activity.toml index 8f2fdafa6..d25a8aeb1 100644 --- a/rules/network/command_and_control_port_26_activity.toml +++ b/rules/network/command_and_control_port_26_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/18" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml index 1b1cc835d..6cfbbf069 100644 --- a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml +++ b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/17" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml index 5c07d1604..d410f7aaa 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/17" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml index 450ea79d3..09da32e8e 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/17" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/network/discovery_potential_network_sweep_detected.toml b/rules/network/discovery_potential_network_sweep_detected.toml index 856e8943d..2fc61ba32 100644 --- a/rules/network/discovery_potential_network_sweep_detected.toml +++ b/rules/network/discovery_potential_network_sweep_detected.toml @@ -2,21 +2,19 @@ creation_date = "2023/05/17" integration = ["endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/01/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = ''' -This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target -network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and -weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized -access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts -from one source host to 10 or more destination hosts on commonly used network services. -''' +description = """ +This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target network, +identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses. +This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data +theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts from one +source host to 10 or more destination hosts on commonly used network services. +""" from = "now-9m" -index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-endpoint.events.network-*",] +index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-endpoint.events.network-*"] language = "kuery" license = "Elastic License v2" max_signals = 5 @@ -24,44 +22,46 @@ name = "Potential Network Sweep Detected" risk_score = 21 rule_id = "781f8746-2180-4691-890c-4c96d11ca91d" severity = "low" -tags = ["Domain: Network", - "Tactic: Discovery", - "Tactic: Reconnaissance", - "Use Case: Network Security Monitoring" - ] -type = "threshold" +tags = [ + "Domain: Network", + "Tactic: Discovery", + "Tactic: Reconnaissance", + "Use Case: Network Security Monitoring", +] timestamp_override = "event.ingested" +type = "threshold" query = ''' destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1595" name = "Active Scanning" reference = "https://attack.mitre.org/techniques/T1595/" - [[rule.threat.technique.subtechnique]] id = "T1595.001" name = "Scanning IP Blocks" reference = "https://attack.mitre.org/techniques/T1595/001/" + + [rule.threat.tactic] id = "TA0043" name = "Reconnaissance" @@ -71,6 +71,7 @@ reference = "https://attack.mitre.org/tactics/TA0043/" field = ["source.ip"] value = 1 [[rule.threshold.cardinality]] - field = "destination.ip" value = 100 + + diff --git a/rules/network/discovery_potential_port_scan_detected.toml b/rules/network/discovery_potential_port_scan_detected.toml index fb8c8d856..1593f34d2 100644 --- a/rules/network/discovery_potential_port_scan_detected.toml +++ b/rules/network/discovery_potential_port_scan_detected.toml @@ -2,20 +2,18 @@ creation_date = "2023/05/17" integration = ["endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/01/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = ''' +description = """ This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a -target system or network for open ports, allowing them to identify available services and potential vulnerabilities. -By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining +target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By +mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further -exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts -from one source host to 20 or more destination ports. -''' +exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from +one source host to 20 or more destination ports. +""" from = "now-9m" index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "filebeat-*", "auditbeat-*"] language = "kuery" @@ -25,44 +23,45 @@ name = "Potential Network Scan Detected" risk_score = 21 rule_id = "0171f283-ade7-4f87-9521-ac346c68cc9b" severity = "low" -tags = ["Domain: Network", - "Tactic: Discovery", - "Tactic: Reconnaissance", - "Use Case: Network Security Monitoring" - ] -type = "threshold" +tags = [ + "Domain: Network", + "Tactic: Discovery", + "Tactic: Reconnaissance", + "Use Case: Network Security Monitoring", +] timestamp_override = "event.ingested" +type = "threshold" query = ''' destination.port : * and event.action : "network_flow" and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1595" name = "Active Scanning" reference = "https://attack.mitre.org/techniques/T1595/" - [[rule.threat.technique.subtechnique]] id = "T1595.001" name = "Scanning IP Blocks" reference = "https://attack.mitre.org/techniques/T1595/001/" + + [rule.threat.tactic] id = "TA0043" name = "Reconnaissance" @@ -71,7 +70,8 @@ reference = "https://attack.mitre.org/tactics/TA0043/" [rule.threshold] field = ["destination.ip", "source.ip"] value = 1 - [[rule.threshold.cardinality]] field = "destination.port" value = 250 + + diff --git a/rules/network/discovery_potential_syn_port_scan_detected.toml b/rules/network/discovery_potential_syn_port_scan_detected.toml index 2ad59638e..f5a5dca52 100644 --- a/rules/network/discovery_potential_syn_port_scan_detected.toml +++ b/rules/network/discovery_potential_syn_port_scan_detected.toml @@ -2,20 +2,18 @@ creation_date = "2023/05/17" integration = ["endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/01/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = ''' +description = """ This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a -target network for open ports by sending SYN packets to multiple ports and observing the response. -Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, -allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its -security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic -to check for connection attempts from one source host to 10 or more destination ports using 2 or less packets per port. -''' +target network for open ports by sending SYN packets to multiple ports and observing the response. Attackers use this +method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch +targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading +to data breaches or further malicious activities. This rule proposes threshold logic to check for connection attempts +from one source host to 10 or more destination ports using 2 or less packets per port. +""" from = "now-9m" index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "auditbeat-*", "filebeat-*"] language = "kuery" @@ -25,44 +23,45 @@ name = "Potential SYN-Based Network Scan Detected" risk_score = 21 rule_id = "bbaa96b9-f36c-4898-ace2-581acb00a409" severity = "low" -tags = ["Domain: Network", - "Tactic: Discovery", - "Tactic: Reconnaissance", - "Use Case: Network Security Monitoring" - ] -type = "threshold" +tags = [ + "Domain: Network", + "Tactic: Discovery", + "Tactic: Reconnaissance", + "Use Case: Network Security Monitoring", +] timestamp_override = "event.ingested" +type = "threshold" query = ''' destination.port : * and network.packets <= 2 and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1595" name = "Active Scanning" reference = "https://attack.mitre.org/techniques/T1595/" - [[rule.threat.technique.subtechnique]] id = "T1595.001" name = "Scanning IP Blocks" reference = "https://attack.mitre.org/techniques/T1595/001/" + + [rule.threat.tactic] id = "TA0043" name = "Reconnaissance" @@ -71,7 +70,8 @@ reference = "https://attack.mitre.org/tactics/TA0043/" [rule.threshold] field = ["destination.ip", "source.ip"] value = 1 - [[rule.threshold.cardinality]] field = "destination.port" value = 250 + + diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml index 3dcd1d643..1d7743ba0 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/17" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml index ce2e6f9b0..0f11c9084 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml @@ -2,10 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/17" - +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml index 782073582..cdb0744ec 100644 --- a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml +++ b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml @@ -2,10 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/17" - +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/network/initial_access_unsecure_elasticsearch_node.toml b/rules/network/initial_access_unsecure_elasticsearch_node.toml index fa1a06c6a..8f51cb76b 100644 --- a/rules/network/initial_access_unsecure_elasticsearch_node.toml +++ b/rules/network/initial_access_unsecure_elasticsearch_node.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/11" integration = ["network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/network/lateral_movement_dns_server_overflow.toml b/rules/network/lateral_movement_dns_server_overflow.toml index ad311c66b..38b0ec200 100644 --- a/rules/network/lateral_movement_dns_server_overflow.toml +++ b/rules/network/lateral_movement_dns_server_overflow.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/16" integration = ["network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/01" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml index d643f37fb..a438cc585 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml @@ -1,16 +1,14 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/13" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link -in the rule.reference column for additional information. +Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in +the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -32,24 +30,26 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access"] -type = "query" timestamp_override = "event.ingested" +type = "query" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.001" +name = "LSASS Memory" +reference = "https://attack.mitre.org/techniques/T1003/001/" + - [[rule.threat.technique.subtechnique]] - id = "T1003.001" - name = "LSASS Memory" - reference = "https://attack.mitre.org/techniques/T1003/001/" [rule.threat.tactic] id = "TA0006" diff --git a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml index 08734f9dd..546220331 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml @@ -1,16 +1,14 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/13" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link -in the rule.reference column for additional information. +Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in +the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -32,26 +30,29 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access"] -type = "query" timestamp_override = "event.ingested" +type = "query" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.001" +name = "LSASS Memory" +reference = "https://attack.mitre.org/techniques/T1003/001/" + - [[rule.threat.technique.subtechnique]] - id = "T1003.001" - name = "LSASS Memory" - reference = "https://attack.mitre.org/techniques/T1003/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/promotions/endgame_adversary_behavior_detected.toml b/rules/promotions/endgame_adversary_behavior_detected.toml index 8866e3f78..37dae90c4 100644 --- a/rules/promotions/endgame_adversary_behavior_detected.toml +++ b/rules/promotions/endgame_adversary_behavior_detected.toml @@ -1,16 +1,14 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/13" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the -link in the rule.reference column for additional information. +Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in +the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -32,8 +30,8 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["Data Source: Elastic Endgame"] -type = "query" timestamp_override = "event.ingested" +type = "query" query = ''' event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event) diff --git a/rules/promotions/endgame_malware_detected.toml b/rules/promotions/endgame_malware_detected.toml index c8865ab25..cbf07ce6b 100644 --- a/rules/promotions/endgame_malware_detected.toml +++ b/rules/promotions/endgame_malware_detected.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/13" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,8 +30,8 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "critical" tags = ["Data Source: Elastic Endgame"] -type = "query" timestamp_override = "event.ingested" +type = "query" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) diff --git a/rules/promotions/endgame_malware_prevented.toml b/rules/promotions/endgame_malware_prevented.toml index 22c4fdbc5..d00be8545 100644 --- a/rules/promotions/endgame_malware_prevented.toml +++ b/rules/promotions/endgame_malware_prevented.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/13" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,8 +30,8 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame"] -type = "query" timestamp_override = "event.ingested" +type = "query" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) diff --git a/rules/promotions/endgame_ransomware_detected.toml b/rules/promotions/endgame_ransomware_detected.toml index 58870383f..917f0ab08 100644 --- a/rules/promotions/endgame_ransomware_detected.toml +++ b/rules/promotions/endgame_ransomware_detected.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/13" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,8 +30,8 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "critical" tags = ["Data Source: Elastic Endgame"] -type = "query" timestamp_override = "event.ingested" +type = "query" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) diff --git a/rules/promotions/endgame_ransomware_prevented.toml b/rules/promotions/endgame_ransomware_prevented.toml index f8509c3a8..d6e5e4b76 100644 --- a/rules/promotions/endgame_ransomware_prevented.toml +++ b/rules/promotions/endgame_ransomware_prevented.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/13" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,8 +30,8 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame"] -type = "query" timestamp_override = "event.ingested" +type = "query" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) diff --git a/rules/promotions/execution_endgame_exploit_detected.toml b/rules/promotions/execution_endgame_exploit_detected.toml index fff5c7797..891c48a3e 100644 --- a/rules/promotions/execution_endgame_exploit_detected.toml +++ b/rules/promotions/execution_endgame_exploit_detected.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/13" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -31,14 +29,20 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" -tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"] -type = "query" +tags = [ + "Data Source: Elastic Endgame", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Privilege Escalation", +] timestamp_override = "event.ingested" +type = "query" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) ''' + [[rule.threat]] framework = "MITRE ATT&CK" @@ -46,7 +50,6 @@ framework = "MITRE ATT&CK" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -54,7 +57,9 @@ id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/promotions/execution_endgame_exploit_prevented.toml b/rules/promotions/execution_endgame_exploit_prevented.toml index b9e85a7bd..8d924b7e7 100644 --- a/rules/promotions/execution_endgame_exploit_prevented.toml +++ b/rules/promotions/execution_endgame_exploit_prevented.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/13" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -31,14 +29,20 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" -tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"] -type = "query" +tags = [ + "Data Source: Elastic Endgame", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Privilege Escalation", +] timestamp_override = "event.ingested" +type = "query" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) ''' + [[rule.threat]] framework = "MITRE ATT&CK" @@ -46,7 +50,6 @@ framework = "MITRE ATT&CK" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -54,7 +57,9 @@ id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/promotions/external_alerts.toml b/rules/promotions/external_alerts.toml index 8f657c450..1eb2d1a0d 100644 --- a/rules/promotions/external_alerts.toml +++ b/rules/promotions/external_alerts.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2020/07/08" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/13" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -12,7 +10,15 @@ description = """ Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app. """ -index = ["apm-*-transaction*", "traces-apm*", "auditbeat-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"] +index = [ + "apm-*-transaction*", + "traces-apm*", + "auditbeat-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*", +] language = "kuery" license = "Elastic License v2" max_signals = 10000 @@ -47,25 +53,25 @@ value = "" [[rule.severity_mapping]] field = "event.severity" operator = "equals" -value = "21" severity = "low" +value = "21" [[rule.severity_mapping]] field = "event.severity" operator = "equals" -value = "47" severity = "medium" +value = "47" [[rule.severity_mapping]] field = "event.severity" operator = "equals" -value = "73" severity = "high" +value = "73" [[rule.severity_mapping]] field = "event.severity" operator = "equals" -value = "99" severity = "critical" +value = "99" diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml index caef5f6ab..8155bb2f9 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml @@ -1,16 +1,14 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/13" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the -link in the rule.reference column for additional information. +Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link +in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -32,13 +30,14 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] -type = "query" timestamp_override = "event.ingested" +type = "query" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -46,9 +45,9 @@ id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml index b9ddee16d..3d28513a5 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml @@ -1,16 +1,14 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/13" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the -link in the rule.reference column for additional information. +Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link +in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -32,13 +30,14 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] -type = "query" timestamp_override = "event.ingested" +type = "query" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -46,7 +45,9 @@ id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml index 0a81cdd2f..2e8870a4b 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml @@ -1,16 +1,14 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/13" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in -the rule.reference column for additional information. +Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the +rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -32,13 +30,14 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] -type = "query" timestamp_override = "event.ingested" +type = "query" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -46,7 +45,9 @@ id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml index 5c4cd362f..24e914d78 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml @@ -1,16 +1,14 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/13" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in -the rule.reference column for additional information. +Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the +rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -32,13 +30,14 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] -type = "query" timestamp_override = "event.ingested" +type = "query" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -46,7 +45,9 @@ id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml index 430a3a2c8..1eea20d6f 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml @@ -1,16 +1,14 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/13" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in -the rule.reference column for additional information. +Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the +rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -32,13 +30,14 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] -type = "query" timestamp_override = "event.ingested" +type = "query" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -46,7 +45,9 @@ id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml index 3451dafac..8b9651451 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml @@ -1,16 +1,14 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/13" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link -in the rule.reference column for additional information. +Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in +the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -32,13 +30,14 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] -type = "query" timestamp_override = "event.ingested" +type = "query" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -46,7 +45,9 @@ id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/collection_email_outlook_mailbox_via_com.toml b/rules/windows/collection_email_outlook_mailbox_via_com.toml index b035f8891..6999edfe0 100644 --- a/rules/windows/collection_email_outlook_mailbox_via_com.toml +++ b/rules/windows/collection_email_outlook_mailbox_via_com.toml @@ -2,15 +2,13 @@ creation_date = "2023/01/11" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.4.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may target user email to collect -sensitive information or send email on their behalf via API. +Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may +target user email to collect sensitive information or send email on their behalf via API. """ from = "now-9m" index = ["logs-endpoint.events.process*"] @@ -23,7 +21,13 @@ references = [ risk_score = 47 rule_id = "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Data Source: Elastic Defend", +] type = "eql" query = ''' @@ -51,34 +55,32 @@ framework = "MITRE ATT&CK" id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" - [[rule.threat.technique.subtechnique]] id = "T1114.001" name = "Local Email Collection" reference = "https://attack.mitre.org/techniques/T1114/001/" + [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1559" name = "Inter-Process Communication" reference = "https://attack.mitre.org/techniques/T1559/" - [[rule.threat.technique.subtechnique]] id = "T1559.001" name = "Component Object Model" reference = "https://attack.mitre.org/techniques/T1559/001/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index b31607b49..28a89c21a 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,14 @@ mailbox or archive to a .pst file. Adversaries may target user email to collect """ false_positives = ["Legitimate exchange system administration activity."] from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Exporting Exchange Mailbox via PowerShell" @@ -74,7 +79,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", +] timestamp_override = "event.ingested" type = "eql" @@ -107,7 +122,6 @@ reference = "https://attack.mitre.org/techniques/T1114/002/" id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/collection_posh_audio_capture.toml b/rules/windows/collection_posh_audio_capture.toml index cf05245b6..83b9dd436 100644 --- a/rules/windows/collection_posh_audio_capture.toml +++ b/rules/windows/collection_posh_audio_capture.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/19" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -75,7 +73,14 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/collection_posh_keylogger.toml b/rules/windows/collection_posh_keylogger.toml index b6f3ca45e..31e807680 100644 --- a/rules/windows/collection_posh_keylogger.toml +++ b/rules/windows/collection_posh_keylogger.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -80,7 +78,14 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/collection_posh_mailbox.toml b/rules/windows/collection_posh_mailbox.toml index 55925895e..b0ce9e211 100644 --- a/rules/windows/collection_posh_mailbox.toml +++ b/rules/windows/collection_posh_mailbox.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/11" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -81,7 +79,14 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/collection_posh_screen_grabber.toml b/rules/windows/collection_posh_screen_grabber.toml index ac8582774..bf6cba3bc 100644 --- a/rules/windows/collection_posh_screen_grabber.toml +++ b/rules/windows/collection_posh_screen_grabber.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/19" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -76,7 +74,14 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/collection_posh_webcam_video_capture.toml b/rules/windows/collection_posh_webcam_video_capture.toml index f695abe94..1def216d6 100644 --- a/rules/windows/collection_posh_webcam_video_capture.toml +++ b/rules/windows/collection_posh_webcam_video_capture.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/18" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -17,7 +15,9 @@ index = ["winlogbeat-*", "logs-windows.powershell*"] language = "kuery" license = "Elastic License v2" name = "PowerShell Script with Webcam Video Capture Capabilities" -references = ["https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py"] +references = [ + "https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py", +] risk_score = 47 rule_id = "eb44611f-62a8-4036-a5ef-587098be6c43" setup = """## Setup @@ -39,7 +39,13 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index 723a176a9..9c69091a8 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -61,7 +59,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -91,6 +97,11 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" @@ -100,11 +111,6 @@ id = "T1560.001" name = "Archive via Utility" reference = "https://attack.mitre.org/techniques/T1560/001/" -[[rule.threat.technique]] -id = "T1005" -name = "Data from Local System" -reference = "https://attack.mitre.org/techniques/T1005/" - [rule.threat.tactic] diff --git a/rules/windows/command_and_control_certreq_postdata.toml b/rules/windows/command_and_control_certreq_postdata.toml index 81677f328..ceaf3e4b8 100644 --- a/rules/windows/command_and_control_certreq_postdata.toml +++ b/rules/windows/command_and_control_certreq_postdata.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,13 +29,21 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ -Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to download files or upload data to a remote URL. +Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to download files or upload data to a +remote URL. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Potential File Transfer via Certreq" @@ -98,7 +104,16 @@ references = ["https://lolbas-project.github.io/lolbas/Binaries/Certreq/"] risk_score = 47 rule_id = "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Command and Control", + "Tactic: Exfiltration", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -120,8 +135,6 @@ reference = "https://attack.mitre.org/techniques/T1105/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -134,7 +147,6 @@ reference = "https://attack.mitre.org/techniques/T1218/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -142,6 +154,7 @@ id = "T1567" name = "Exfiltration Over Web Service" reference = "https://attack.mitre.org/techniques/T1567/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index d7592550d..f294ae465 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/10" +updated_date = "2024/05/21" [transform] [[transform.osquery]] diff --git a/rules/windows/command_and_control_dns_tunneling_nslookup.toml b/rules/windows/command_and_control_dns_tunneling_nslookup.toml index d16761b8f..0c1b178a3 100644 --- a/rules/windows/command_and_control_dns_tunneling_nslookup.toml +++ b/rules/windows/command_and_control_dns_tunneling_nslookup.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/11" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ This rule identifies a large number (15) of nslookup.exe executions with an expl may indicate command and control activity utilizing the DNS protocol. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Potential DNS Tunneling via NsLookup" @@ -62,7 +66,7 @@ tags = [ "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] type = "eql" @@ -84,11 +88,13 @@ id = "T1071.004" name = "DNS" reference = "https://attack.mitre.org/techniques/T1071/004/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml index de1adf85a..798d6db68 100644 --- a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml +++ b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -28,7 +26,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_headless_browser.toml b/rules/windows/command_and_control_headless_browser.toml index 8c844b616..f435dd9dd 100644 --- a/rules/windows/command_and_control_headless_browser.toml +++ b/rules/windows/command_and_control_headless_browser.toml @@ -2,10 +2,7 @@ creation_date = "2024/05/10" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/10" - +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +11,13 @@ Identifies the use of a browser to download a file from a remote URL and from a may use browsers to avoid ingress tool transfer restrictions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Potential File Download via a Headless Browser" @@ -46,7 +49,16 @@ references = ["https://lolbas-project.github.io/lolbas/Binaries/Msedge/"] risk_score = 73 rule_id = "5f2f463e-6997-478c-8405-fb41cc283281" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Windows", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Windows", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -73,3 +85,4 @@ reference = "https://attack.mitre.org/techniques/T1105/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/windows/command_and_control_iexplore_via_com.toml b/rules/windows/command_and_control_iexplore_via_com.toml index 7c6e09480..794242441 100644 --- a/rules/windows/command_and_control_iexplore_via_com.toml +++ b/rules/windows/command_and_control_iexplore_via_com.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/28" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -22,7 +20,13 @@ name = "Potential Command and Control via Internet Explorer" risk_score = 47 rule_id = "acd611f3-2b93-47b3-a0a3-7723bcc46f6d" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", +] type = "eql" query = ''' diff --git a/rules/windows/command_and_control_ingress_transfer_bits.toml b/rules/windows/command_and_control_ingress_transfer_bits.toml index 372f5589d..d0be4efa7 100644 --- a/rules/windows/command_and_control_ingress_transfer_bits.toml +++ b/rules/windows/command_and_control_ingress_transfer_bits.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,10 +29,11 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ -Identifies downloads of executable and archive files via the Windows Background Intelligent Transfer Service (BITS). +Identifies downloads of executable and archive files via the Windows Background Intelligent Transfer Service (BITS). Adversaries could leverage Windows BITS transfer jobs to download remote payloads. """ from = "now-9m" @@ -115,7 +114,14 @@ references = ["https://attack.mitre.org/techniques/T1197/"] risk_score = 21 rule_id = "f95972d3-c23b-463b-89a8-796b3f369b49" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Command and Control", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -151,8 +157,6 @@ reference = "https://attack.mitre.org/techniques/T1105/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -165,3 +169,4 @@ reference = "https://attack.mitre.org/techniques/T1197/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml index a317700b8..c4ba50200 100644 --- a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml +++ b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml @@ -2,9 +2,7 @@ creation_date = "2023/04/03" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" -min_stack_version = "8.4.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -15,12 +13,17 @@ when a process is started whose name or code signature resembles commonly abused indicating the host has not seen this RAT process started before within the last 30 days. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "endgame-*", "winlogbeat-*", "logs-windows.*", "logs-system.security*"] +index = [ + "logs-endpoint.events.process-*", + "endgame-*", + "winlogbeat-*", + "logs-windows.*", + "logs-system.security*", +] language = "kuery" license = "Elastic License v2" name = "First Time Seen Commonly Abused Remote Access Tool Execution" -note = """ -## Triage and analysis +note = """## Triage and analysis ### Investigating First Time Seen Commonly Abused Remote Access Tool Execution @@ -56,12 +59,20 @@ This rule detects when a remote access tool is seen in the environment for the f references = [ "https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/", "https://attack.mitre.org/techniques/T1219/", - "https://github.com/redcanaryco/surveyor/blob/master/definitions/remote-admin.json" + "https://github.com/redcanaryco/surveyor/blob/master/definitions/remote-admin.json", ] risk_score = 47 rule_id = "6e1a2cc4-d260-11ed-8829-f661ea17fbcc" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/windows/command_and_control_port_forwarding_added_registry.toml b/rules/windows/command_and_control_port_forwarding_added_registry.toml index 0db2f71ea..2437a7ded 100644 --- a/rules/windows/command_and_control_port_forwarding_added_registry.toml +++ b/rules/windows/command_and_control_port_forwarding_added_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies the creation of a new port forwarding rule. An adversary may abuse th segmentation restrictions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Port Forwarding Rule Addition" @@ -82,7 +86,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: SentinelOne" + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" @@ -108,7 +112,6 @@ reference = "https://attack.mitre.org/techniques/T1572/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -116,6 +119,7 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/command_and_control_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml index 1499e8c0d..c89ed31c6 100644 --- a/rules/windows/command_and_control_rdp_tunnel_plink.toml +++ b/rules/windows/command_and_control_rdp_tunnel_plink.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/14" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,14 @@ Identifies potential use of an SSH utility to establish RDP over a reverse SSH T enable routing of network packets that would otherwise not reach their intended destination. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Potential Remote Desktop Tunneling Detected" @@ -72,7 +77,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: SentinelOne" + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" @@ -97,7 +102,6 @@ reference = "https://attack.mitre.org/techniques/T1572/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -115,3 +119,4 @@ reference = "https://attack.mitre.org/techniques/T1021/004/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index 1ebdb84c2..80a061822 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index 42c16fe3f..96ac992cd 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] diff --git a/rules/windows/command_and_control_remote_file_copy_powershell.toml b/rules/windows/command_and_control_remote_file_copy_powershell.toml index 092dbd69d..27a223a2d 100644 --- a/rules/windows/command_and_control_remote_file_copy_powershell.toml +++ b/rules/windows/command_and_control_remote_file_copy_powershell.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/30" integration = ["endpoint"] maturity = "production" -updated_date = "2024/04/08" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] diff --git a/rules/windows/command_and_control_remote_file_copy_scripts.toml b/rules/windows/command_and_control_remote_file_copy_scripts.toml index 26e228aa9..40905e424 100644 --- a/rules/windows/command_and_control_remote_file_copy_scripts.toml +++ b/rules/windows/command_and_control_remote_file_copy_scripts.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/04/08" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -39,7 +37,12 @@ Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) bei from a remote destination. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.network-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.network-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Remote File Download via Script Interpreter" @@ -96,7 +99,16 @@ This rule looks for DLLs and executables downloaded using `cscript.exe` or `wscr risk_score = 47 rule_id = "1d276579-3380-4095-ad38-e596a01bc64f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' @@ -120,7 +132,6 @@ reference = "https://attack.mitre.org/techniques/T1105/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/command_and_control_screenconnect_childproc.toml b/rules/windows/command_and_control_screenconnect_childproc.toml index 6fb210442..0deeef487 100644 --- a/rules/windows/command_and_control_screenconnect_childproc.toml +++ b/rules/windows/command_and_control_screenconnect_childproc.toml @@ -2,23 +2,29 @@ creation_date = "2024/03/27" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" - +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate execution -abusing unauthorized access to the ScreenConnect remote access software. +Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate +execution abusing unauthorized access to the ScreenConnect remote access software. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "logs-system.security*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Suspicious ScreenConnect Client Child Process" -references = ["https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"] +references = [ + "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", +] risk_score = 47 rule_id = "78de1aeb-5225-4067-b8cc-f4a1de8a8546" severity = "medium" @@ -31,7 +37,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: SentinelOne" + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml index d1c62d1fc..fd34ad33b 100644 --- a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml +++ b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -99,7 +97,14 @@ references = [ risk_score = 73 rule_id = "22599847-5d13-48cb-8872-5796fee8692b" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index b5c92ad1e..d7526688a 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -90,7 +88,9 @@ TeamViewer is a remote access and remote control tool used by helpdesks and syst - Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -references = ["http://web.archive.org/web/20230329160957/https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html"] +references = [ + "http://web.archive.org/web/20230329160957/https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html", +] risk_score = 47 rule_id = "b25a7df2-120a-4db2-bd3f-3e4b86b24bee" setup = """## Setup @@ -109,7 +109,7 @@ tags = [ "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_adidns_wildcard.toml b/rules/windows/credential_access_adidns_wildcard.toml index 2efd54755..c917c234f 100644 --- a/rules/windows/credential_access_adidns_wildcard.toml +++ b/rules/windows/credential_access_adidns_wildcard.toml @@ -2,9 +2,7 @@ creation_date = "2024/03/26" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/26" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,8 @@ Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues, such as wildcard records, mainly because of the default permission (Any authenticated users) to create DNS-named records. Attackers can create wildcard records to redirect traffic that doesn't explicitly match -records contained in the zone, becoming the Man-in-the-Middle and being able to abuse DNS similarly to LLMNR/NBNS spoofing. +records contained in the zone, becoming the Man-in-the-Middle and being able to abuse DNS similarly to LLMNR/NBNS +spoofing. """ from = "now-9m" index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] @@ -22,7 +21,7 @@ license = "Elastic License v2" name = "Potential ADIDNS Poisoning via Wildcard Record Creation" references = [ "https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/", - "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/adidns-spoofing" + "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/adidns-spoofing", ] risk_score = 73 rule_id = "8f242ffb-b191-4803-90ec-0f19942e17fd" @@ -55,7 +54,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", - "Use Case: Active Directory Monitoring" + "Use Case: Active Directory Monitoring", ] timestamp_override = "event.ingested" type = "eql" @@ -74,7 +73,6 @@ name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_bruteforce_admin_account.toml b/rules/windows/credential_access_bruteforce_admin_account.toml index 1862372c9..3fbdbc218 100644 --- a/rules/windows/credential_access_bruteforce_admin_account.toml +++ b/rules/windows/credential_access_bruteforce_admin_account.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/29" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -105,7 +103,13 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", +] type = "eql" query = ''' diff --git a/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml b/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml index 721525683..401b9edca 100644 --- a/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml +++ b/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/29" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -109,7 +107,13 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", +] type = "eql" query = ''' diff --git a/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml b/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml index ec73c3905..008bf363e 100644 --- a/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml +++ b/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/29" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -98,10 +97,10 @@ This rule identifies potential password guessing/brute force activity from a sin - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624", - "https://social.technet.microsoft.com/Forums/ie/en-US/c82ac4f3-a235-472c-9fd3-53aa646cfcfd/network-information-missing-in-event-id-4624?forum=winserversecurity", - "https://serverfault.com/questions/379092/remote-desktop-failed-logon-event-4625-not-logging-ip-address-on-2008-terminal-s/403638#403638", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624", + "https://social.technet.microsoft.com/Forums/ie/en-US/c82ac4f3-a235-472c-9fd3-53aa646cfcfd/network-information-missing-in-event-id-4624?forum=winserversecurity", + "https://serverfault.com/questions/379092/remote-desktop-failed-logon-event-4625-not-logging-ip-address-on-2008-terminal-s/403638#403638", ] risk_score = 47 rule_id = "48b6edfc-079d-4907-b43c-baffa243270d" @@ -110,7 +109,13 @@ setup = """## Setup - In some cases the source network address in Windows events 4625/4624 is not populated due to Microsoft logging limitations (examples in the references links). This edge case will break the rule condition and it won't trigger an alert. """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", +] type = "eql" query = ''' diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml index ae6317cf1..bf5073618 100644 --- a/rules/windows/credential_access_cmdline_dump_tool.toml +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies the execution of known Windows utilities often abused to dump LSASS m (NTDS.dit) in preparation for credential access. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Potential Credential Access via Windows Utilities" @@ -71,7 +75,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" @@ -134,7 +138,6 @@ reference = "https://attack.mitre.org/techniques/T1003/003/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index c456ca719..adeb495cf 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic", "Austin Songer"] description = """ @@ -38,7 +37,13 @@ Identifies a copy operation of the Active Directory Domain Database (ntds.dit) o Those files contain sensitive information including hashed domain and/or local credentials. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" max_signals = 33 @@ -115,7 +120,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml index 31b2b5283..55c55eb6b 100644 --- a/rules/windows/credential_access_credential_dumping_msbuild.toml +++ b/rules/windows/credential_access_credential_dumping_msbuild.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/04/08" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -40,7 +38,12 @@ credential management. This technique is sometimes used for credential dumping. """ false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.library-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Potential Credential Access via Trusted Developer Utility" @@ -100,7 +103,16 @@ This rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, risk_score = 73 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' @@ -117,7 +129,6 @@ framework = "MITRE ATT&CK" id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [[rule.threat.technique.subtechnique]] id = "T1003.002" name = "Security Account Manager" @@ -133,11 +144,12 @@ id = "T1555.004" name = "Windows Credential Manager" reference = "https://attack.mitre.org/techniques/T1555/004/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml index 920ae2202..02e0d783a 100644 --- a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml +++ b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml @@ -2,16 +2,14 @@ creation_date = "2022/12/19" integration = ["windows"] maturity = "production" -min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" -min_stack_version = "8.4.0" -updated_date = "2024/01/29" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule identifies when a User Account starts the Active Directory Replication Process for the first time. -Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, -thus compromising the entire domain. +This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers +can use the DCSync technique to get credential information of individual accounts or the entire domain, thus +compromising the entire domain. """ from = "now-9m" index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] @@ -82,7 +80,16 @@ Audit Directory Service Access (Success,Failure) ``` """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Privilege Escalation", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" @@ -97,26 +104,23 @@ event.action:("Directory Service Access" or "object-operation-performed") and ev [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" -reference = "https://attack.mitre.org/techniques/T1003/" name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.006" +name = "DCSync" +reference = "https://attack.mitre.org/techniques/T1003/006/" - [[rule.threat.technique.subtechnique]] - id = "T1003.006" - reference = "https://attack.mitre.org/techniques/T1003/006/" - name = "DCSync" [rule.threat.tactic] id = "TA0006" -reference = "https://attack.mitre.org/tactics/TA0006/" name = "Credential Access" - +reference = "https://attack.mitre.org/tactics/TA0006/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -136,7 +140,8 @@ reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["winlog.event_data.SubjectUserName"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-15d" + + diff --git a/rules/windows/credential_access_dcsync_replication_rights.toml b/rules/windows/credential_access_dcsync_replication_rights.toml index d5123d71f..8fbe4cfa0 100644 --- a/rules/windows/credential_access_dcsync_replication_rights.toml +++ b/rules/windows/credential_access_dcsync_replication_rights.toml @@ -2,9 +2,7 @@ creation_date = "2022/02/08" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/01/29" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -90,7 +88,7 @@ tags = [ "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring" + "Use Case: Active Directory Monitoring", ] timestamp_override = "event.ingested" type = "eql" @@ -140,11 +138,8 @@ reference = "https://attack.mitre.org/techniques/T1003/006/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" diff --git a/rules/windows/credential_access_disable_kerberos_preauth.toml b/rules/windows/credential_access_disable_kerberos_preauth.toml index 0d845d464..c181c9b24 100644 --- a/rules/windows/credential_access_disable_kerberos_preauth.toml +++ b/rules/windows/credential_access_disable_kerberos_preauth.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/24" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -70,7 +68,17 @@ Audit User Account Management (Success,Failure) ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Defense Evasion", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", +] timestamp_override = "event.ingested" type = "query" @@ -96,11 +104,8 @@ reference = "https://attack.mitre.org/techniques/T1558/004/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" @@ -111,11 +116,8 @@ reference = "https://attack.mitre.org/techniques/T1562/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" diff --git a/rules/windows/credential_access_dnsnode_creation.toml b/rules/windows/credential_access_dnsnode_creation.toml index 2f42ee0b8..38220bc91 100644 --- a/rules/windows/credential_access_dnsnode_creation.toml +++ b/rules/windows/credential_access_dnsnode_creation.toml @@ -2,9 +2,7 @@ creation_date = "2024/03/26" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/26" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -23,7 +21,7 @@ license = "Elastic License v2" name = "Creation of a DNS-Named Record" references = [ "https://www.netspi.com/blog/technical/network-penetration-testing/adidns-revisited/", - "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wpad-spoofing" + "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wpad-spoofing", ] risk_score = 21 rule_id = "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc" @@ -56,7 +54,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", - "Use Case: Active Directory Monitoring" + "Use Case: Active Directory Monitoring", ] timestamp_override = "event.ingested" type = "eql" @@ -76,7 +74,6 @@ name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index 6b619d797..b1ad6d1b7 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/13" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies the creation or modification of Domain Backup private keys. Adversari (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Creation or Modification of Domain Backup DPAPI private key" @@ -36,7 +40,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_dump_registry_hives.toml b/rules/windows/credential_access_dump_registry_hives.toml index 93eeb99a1..4af9d346d 100644 --- a/rules/windows/credential_access_dump_registry_hives.toml +++ b/rules/windows/credential_access_dump_registry_hives.toml @@ -2,15 +2,19 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = "Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Credential Acquisition via Registry Hive Dumping" @@ -75,7 +79,7 @@ tags = [ "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_generic_localdumps.toml b/rules/windows/credential_access_generic_localdumps.toml index 016c83147..870592447 100644 --- a/rules/windows/credential_access_generic_localdumps.toml +++ b/rules/windows/credential_access_generic_localdumps.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/28" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -28,7 +26,15 @@ references = [ risk_score = 47 rule_id = "220be143-5c67-4fdb-b6ce-dd6826d024fd" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml index 8bb38df6f..cfc613548 100644 --- a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies the Internet Information Services (IIS) command-line tool, AppCmd, be with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" max_signals = 33 @@ -30,7 +34,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index 6dfa8a0d3..cf3046479 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ access via a webshell or alike can decrypt and dump any hardcoded connection str password using aspnet_regiis command. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" max_signals = 33 @@ -34,7 +38,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_kerberoasting_unusual_process.toml b/rules/windows/credential_access_kerberoasting_unusual_process.toml index bf21ea751..9b74a0938 100644 --- a/rules/windows/credential_access_kerberoasting_unusual_process.toml +++ b/rules/windows/credential_access_kerberoasting_unusual_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -112,7 +110,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_kirbi_file.toml b/rules/windows/credential_access_kirbi_file.toml index 60bbd7857..a1d09edb7 100644 --- a/rules/windows/credential_access_kirbi_file.toml +++ b/rules/windows/credential_access_kirbi_file.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,14 +12,26 @@ Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as P attacker to impersonate users using Kerberos tickets. """ from = "now-9m" -index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Kirbi File Creation" risk_score = 47 rule_id = "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", +] timestamp_override = "event.ingested" type = "eql" @@ -43,7 +53,6 @@ name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_ldap_attributes.toml b/rules/windows/credential_access_ldap_attributes.toml index 748600024..7e9ca44a1 100644 --- a/rules/windows/credential_access_ldap_attributes.toml +++ b/rules/windows/credential_access_ldap_attributes.toml @@ -2,9 +2,7 @@ creation_date = "2022/11/09" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -41,7 +39,15 @@ Audit Directory Service Access (Success,Failure) ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Privilege Escalation", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", +] timestamp_override = "event.ingested" type = "eql" @@ -89,11 +95,12 @@ id = "T1552.004" name = "Private Keys" reference = "https://attack.mitre.org/techniques/T1552/004/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml index 823684db5..414ba8656 100644 --- a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml +++ b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml @@ -2,9 +2,7 @@ creation_date = "2022/06/29" integration = ["windows"] maturity = "production" -min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." -min_stack_version = "8.8.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -30,7 +28,13 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_lsass_loaded_susp_dll.toml b/rules/windows/credential_access_lsass_loaded_susp_dll.toml index 3a59f2ce8..dcb0c455c 100644 --- a/rules/windows/credential_access_lsass_loaded_susp_dll.toml +++ b/rules/windows/credential_access_lsass_loaded_susp_dll.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2022/12/28" -maturity = "production" integration = ["endpoint"] -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +maturity = "production" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -18,10 +16,7 @@ index = ["logs-endpoint.events.library-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Module Loaded by LSASS" -references = [ - "https://blog.xpnsec.com/exploring-mimikatz-part-2/", - "https://github.com/jas502n/mimikat_ssp" -] +references = ["https://blog.xpnsec.com/exploring-mimikatz-part-2/", "https://github.com/jas502n/mimikat_ssp"] risk_score = 47 rule_id = "3a6001a0-0939-4bbe-86f4-47d8faeb7b97" setup = """## Setup @@ -33,7 +28,13 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -126,3 +127,4 @@ reference = "https://attack.mitre.org/techniques/T1003/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/credential_access_lsass_memdump_file_created.toml b/rules/windows/credential_access_lsass_memdump_file_created.toml index 8fe7c70f1..a982b362c 100644 --- a/rules/windows/credential_access_lsass_memdump_file_created.toml +++ b/rules/windows/credential_access_lsass_memdump_file_created.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -115,7 +113,7 @@ tags = [ "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", - "Data Source: Sysmon" + "Data Source: Sysmon", ] timeline_id = "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c" timeline_title = "Comprehensive File Timeline" diff --git a/rules/windows/credential_access_lsass_memdump_handle_access.toml b/rules/windows/credential_access_lsass_memdump_handle_access.toml index 955bd4997..ce971d469 100644 --- a/rules/windows/credential_access_lsass_memdump_handle_access.toml +++ b/rules/windows/credential_access_lsass_memdump_handle_access.toml @@ -2,9 +2,7 @@ creation_date = "2022/02/16" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -132,9 +130,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest `event.ingested` to @timestamp. For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ - severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_lsass_openprocess_api.toml b/rules/windows/credential_access_lsass_openprocess_api.toml index 97c80885a..7a3135c6e 100644 --- a/rules/windows/credential_access_lsass_openprocess_api.toml +++ b/rules/windows/credential_access_lsass_openprocess_api.toml @@ -2,9 +2,7 @@ creation_date = "2023/03/02" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: Lsass access events added in Elastic Endpoint 8.7." -min_stack_version = "8.7.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,18 +29,16 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] -description = """ -Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory. -""" +description = "Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory.\n" from = "now-9m" index = ["logs-endpoint.events.api-*"] language = "eql" license = "Elastic License v2" name = "LSASS Process Access via Windows API" -note = """ -## Triage and analysis +note = """## Triage and analysis ### Investigating LSASS Process Access via Windows API @@ -109,7 +105,14 @@ references = ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomic risk_score = 47 rule_id = "ff4599cb-409f-4910-a239-52e4e6f532ff" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Execution", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Execution", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -177,10 +180,8 @@ reference = "https://attack.mitre.org/techniques/T1003/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1106" name = "Native API" @@ -191,3 +192,4 @@ reference = "https://attack.mitre.org/techniques/T1106/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index be347be50..51290153a 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -2,15 +2,19 @@ creation_date = "2020/08/31" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = "Identifies the password log file from the default Mimikatz memssp module." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Mimikatz Memssp Log File Detected" @@ -76,7 +80,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: SentinelOne" + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_mimikatz_powershell_module.toml b/rules/windows/credential_access_mimikatz_powershell_module.toml index 512134c1e..03a0f56c4 100644 --- a/rules/windows/credential_access_mimikatz_powershell_module.toml +++ b/rules/windows/credential_access_mimikatz_powershell_module.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/07" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -91,7 +89,14 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index 0e64e8c5f..4ae9a8e20 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -87,7 +85,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Sysmon" + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_moving_registry_hive_via_smb.toml b/rules/windows/credential_access_moving_registry_hive_via_smb.toml index 0ab094362..7c1240d4b 100644 --- a/rules/windows/credential_access_moving_registry_hive_via_smb.toml +++ b/rules/windows/credential_access_moving_registry_hive_via_smb.toml @@ -2,9 +2,7 @@ creation_date = "2022/02/16" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -63,7 +61,7 @@ tags = [ "Tactic: Lateral Movement", "Tactic: Credential Access", "Resources: Investigation Guide", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml index 94bacc832..2a95513aa 100644 --- a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml +++ b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml @@ -2,9 +2,7 @@ creation_date = "2021/03/18" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -106,7 +105,16 @@ references = [ risk_score = 47 rule_id = "54c3d186-0461-4dc3-9b33-2dc5c7473936" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_posh_invoke_ninjacopy.toml b/rules/windows/credential_access_posh_invoke_ninjacopy.toml index 1b9c45665..244493da5 100644 --- a/rules/windows/credential_access_posh_invoke_ninjacopy.toml +++ b/rules/windows/credential_access_posh_invoke_ninjacopy.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/23" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -50,12 +48,19 @@ Invoke-NinjaCopy is a PowerShell script capable of reading SYSTEM files that wer - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = [ - "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/collection/Invoke-NinjaCopy.ps1" + "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/collection/Invoke-NinjaCopy.ps1", ] risk_score = 47 rule_id = "b8386923-b02c-4b94-986a-d223d9b01f88" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -83,16 +88,15 @@ framework = "MITRE ATT&CK" id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.002" +name = "Security Account Manager" +reference = "https://attack.mitre.org/techniques/T1003/002/" - [[rule.threat.technique.subtechnique]] - id = "T1003.002" - name = "Security Account Manager" - reference = "https://attack.mitre.org/techniques/T1003/002/" - - [[rule.threat.technique.subtechnique]] - id = "T1003.003" - name = "NTDS" - reference = "https://attack.mitre.org/techniques/T1003/003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.003" +name = "NTDS" +reference = "https://attack.mitre.org/techniques/T1003/003/" @@ -100,26 +104,23 @@ reference = "https://attack.mitre.org/techniques/T1003/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique.subtechnique]] - id = "T1059.001" - name = "PowerShell" - reference = "https://attack.mitre.org/techniques/T1059/001/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -127,7 +128,9 @@ id = "T1006" name = "Direct Volume Access" reference = "https://attack.mitre.org/techniques/T1006/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/credential_access_posh_kerb_ticket_dump.toml b/rules/windows/credential_access_posh_kerb_ticket_dump.toml index f2b68cfab..25c3693ad 100644 --- a/rules/windows/credential_access_posh_kerb_ticket_dump.toml +++ b/rules/windows/credential_access_posh_kerb_ticket_dump.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/26" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -62,9 +60,7 @@ This rule indicates the use of scripts that contain code capable of dumping Kerb - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -references = [ - "https://github.com/MzHmO/PowershellKerberos/blob/main/dumper.ps1", -] +references = ["https://github.com/MzHmO/PowershellKerberos/blob/main/dumper.ps1"] risk_score = 47 rule_id = "fddff193-48a3-484d-8d35-90bb3d323a56" setup = """## Setup @@ -86,7 +82,13 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" @@ -119,7 +121,6 @@ name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_posh_minidump.toml b/rules/windows/credential_access_posh_minidump.toml index f25b14570..801b74645 100644 --- a/rules/windows/credential_access_posh_minidump.toml +++ b/rules/windows/credential_access_posh_minidump.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/05" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -80,7 +78,14 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_posh_relay_tools.toml b/rules/windows/credential_access_posh_relay_tools.toml index f3bf6ee05..6b8c1c203 100644 --- a/rules/windows/credential_access_posh_relay_tools.toml +++ b/rules/windows/credential_access_posh_relay_tools.toml @@ -2,9 +2,7 @@ creation_date = "2024/03/27" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/27" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -22,7 +20,7 @@ references = [ "https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-SMBExec.ps1", "https://github.com/dafthack/Check-LocalAdminHash/blob/master/Check-LocalAdminHash.ps1", "https://github.com/nettitude/PoshC2/blob/master/resources/modules/Invoke-Tater.ps1", - "https://github.com/Kevin-Robertson/Inveigh/blob/master/Inveigh.ps1" + "https://github.com/Kevin-Robertson/Inveigh/blob/master/Inveigh.ps1", ] risk_score = 47 rule_id = "951779c2-82ad-4a6c-82b8-296c1f691449" @@ -45,7 +43,14 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" @@ -70,12 +75,10 @@ name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -93,7 +96,6 @@ reference = "https://attack.mitre.org/techniques/T1059/001/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/credential_access_posh_request_ticket.toml b/rules/windows/credential_access_posh_request_ticket.toml index 02d8a9a58..1e24dacaf 100644 --- a/rules/windows/credential_access_posh_request_ticket.toml +++ b/rules/windows/credential_access_posh_request_ticket.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/24" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -76,7 +74,14 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_posh_veeam_sql.toml b/rules/windows/credential_access_posh_veeam_sql.toml index 742e90e81..e7be3dd4e 100644 --- a/rules/windows/credential_access_posh_veeam_sql.toml +++ b/rules/windows/credential_access_posh_veeam_sql.toml @@ -2,9 +2,7 @@ creation_date = "2024/03/14" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -18,8 +16,8 @@ language = "kuery" license = "Elastic License v2" name = "PowerShell Script with Veeam Credential Access Capabilities" references = [ - "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", - "https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/" + "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", + "https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/", ] risk_score = 47 rule_id = "5c602cba-ae00-4488-845d-24de2b6d8055" @@ -42,7 +40,13 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" @@ -64,13 +68,13 @@ framework = "MITRE ATT&CK" id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml index 86ab80c45..f62f2f7b3 100644 --- a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml +++ b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml @@ -2,9 +2,7 @@ creation_date = "2021/09/27" integration = ["windows"] maturity = "production" -min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." -min_stack_version = "8.8.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -29,7 +27,13 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml index 88573df52..7198111d2 100644 --- a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml +++ b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml @@ -2,9 +2,7 @@ creation_date = "2022/04/30" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies attempt to coerce a local NTLM authentication via HTTP using the Wind An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Potential Local NTLM Relay via HTTP" @@ -25,7 +29,15 @@ references = [ risk_score = 73 rule_id = "4682fd2c-cfae-47ed-a543-9bed37657aa6" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion","Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -53,7 +65,6 @@ reference = "https://attack.mitre.org/techniques/T1212/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -65,6 +76,8 @@ id = "T1218.011" name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/credential_access_remote_sam_secretsdump.toml b/rules/windows/credential_access_remote_sam_secretsdump.toml index 7219cc88b..f3fde2b08 100644 --- a/rules/windows/credential_access_remote_sam_secretsdump.toml +++ b/rules/windows/credential_access_remote_sam_secretsdump.toml @@ -2,9 +2,7 @@ creation_date = "2022/03/01" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -76,7 +74,7 @@ tags = [ "Tactic: Lateral Movement", "Tactic: Credential Access", "Resources: Investigation Guide", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_saved_creds_vault_winlog.toml b/rules/windows/credential_access_saved_creds_vault_winlog.toml index 73620d2f3..0516afe26 100644 --- a/rules/windows/credential_access_saved_creds_vault_winlog.toml +++ b/rules/windows/credential_access_saved_creds_vault_winlog.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_saved_creds_vaultcmd.toml b/rules/windows/credential_access_saved_creds_vaultcmd.toml index ac77a824e..51f4b0da8 100644 --- a/rules/windows/credential_access_saved_creds_vaultcmd.toml +++ b/rules/windows/credential_access_saved_creds_vaultcmd.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ applications, and networks. An adversary may abuse this to list or dump credenti saved usernames and passwords. This may also be performed in preparation of lateral movement. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Searching for Saved Credentials via VaultCmd" @@ -34,7 +38,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml index 85a166a85..14298cfb5 100644 --- a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml +++ b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/27" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -85,7 +83,7 @@ tags = [ "Tactic: Persistence", "Data Source: Active Directory", "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring" + "Use Case: Active Directory Monitoring", ] timestamp_override = "event.ingested" type = "query" @@ -98,24 +96,24 @@ event.action:"Authorization Policy Change" and event.code:4704 and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/credential_access_shadow_credentials.toml b/rules/windows/credential_access_shadow_credentials.toml index ae9a46865..80289225b 100644 --- a/rules/windows/credential_access_shadow_credentials.toml +++ b/rules/windows/credential_access_shadow_credentials.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/26" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -87,7 +85,15 @@ Set-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType W ``` """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_spn_attribute_modified.toml b/rules/windows/credential_access_spn_attribute_modified.toml index 0825930bd..08e8f50ed 100644 --- a/rules/windows/credential_access_spn_attribute_modified.toml +++ b/rules/windows/credential_access_spn_attribute_modified.toml @@ -2,9 +2,7 @@ creation_date = "2022/02/22" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -93,7 +91,7 @@ tags = [ "Tactic: Credential Access", "Data Source: Active Directory", "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring" + "Use Case: Active Directory Monitoring", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml index 5329acd6e..405ac2ab0 100644 --- a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml +++ b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/17" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -114,7 +113,14 @@ You will need to enable logging of ImageLoads in your Sysmon configuration to in File Name. """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Defense Evasion", + "Data Source: Sysmon", +] type = "eql" query = ''' @@ -145,7 +151,6 @@ reference = "https://attack.mitre.org/techniques/T1003/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/credential_access_suspicious_lsass_access_generic.toml b/rules/windows/credential_access_suspicious_lsass_access_generic.toml index 97598b094..c01731dfb 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_generic.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_generic.toml @@ -2,15 +2,11 @@ creation_date = "2023/01/22" integration = ["windows"] maturity = "production" -min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." -min_stack_version = "8.8.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = """ -Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory. -""" +description = "Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory.\n" from = "now-9m" index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" @@ -28,7 +24,13 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -77,3 +79,4 @@ reference = "https://attack.mitre.org/techniques/T1003/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml index 9aeda8961..ad39fc43c 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/07" integration = ["windows"] maturity = "production" -min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." -min_stack_version = "8.8.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,7 +30,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic:Execution", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic:Execution", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -69,10 +74,8 @@ reference = "https://attack.mitre.org/techniques/T1003/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1106" name = "Native API" diff --git a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml index 6d82c6c07..7b152155c 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/14" integration = ["windows"] maturity = "production" -min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." -min_stack_version = "8.8.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -30,7 +28,13 @@ This is meant to run only on datasources using Elastic Agent 7.14+ since version rule cardinality feature. """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "threshold" diff --git a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml index 6e9b8c90f..0e25e99f8 100644 --- a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml +++ b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml @@ -2,9 +2,7 @@ creation_date = "2022/02/16" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -84,7 +82,16 @@ Special Logon (Success) ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Credential Access", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", +] type = "eql" query = ''' @@ -115,6 +122,7 @@ name = "LSA Secrets" reference = "https://attack.mitre.org/techniques/T1003/004/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml index f53f4c36a..3178c34a6 100644 --- a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml +++ b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml @@ -2,9 +2,7 @@ creation_date = "2021/12/25" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] @@ -14,7 +12,13 @@ copy, including sensitive files such as ntds.dit, System Boot Key and browser of """ false_positives = ["Legitimate administrative activity related to shadow copies."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Symbolic Link to Shadow Copy Created" @@ -98,7 +102,7 @@ tags = [ "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" @@ -132,6 +136,7 @@ name = "NTDS" reference = "https://attack.mitre.org/techniques/T1003/003/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_veeam_backup_dll_imageload.toml b/rules/windows/credential_access_veeam_backup_dll_imageload.toml index e34bf9c6e..c22dbdbcc 100644 --- a/rules/windows/credential_access_veeam_backup_dll_imageload.toml +++ b/rules/windows/credential_access_veeam_backup_dll_imageload.toml @@ -2,9 +2,7 @@ creation_date = "2024/03/14" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -21,7 +19,13 @@ name = "Veeam Backup Library Loaded by Unusual Process" risk_score = 47 rule_id = "aaab30ec-b004-4191-95e1-4a14387ef6a6" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -42,13 +46,13 @@ framework = "MITRE ATT&CK" id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_veeam_commands.toml b/rules/windows/credential_access_veeam_commands.toml index 5ca51f713..e1f9cda03 100644 --- a/rules/windows/credential_access_veeam_commands.toml +++ b/rules/windows/credential_access_veeam_commands.toml @@ -2,9 +2,7 @@ creation_date = "2024/03/14" integration = ["windows", "endpoint", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,17 +11,29 @@ Identifies commands that can access and decrypt Veeam credentials stored in MSSQ Credentials to target backups as part of destructive operations such as Ransomware attacks. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Potential Veeam Credential Access Command" -references = [ - "https://thedfirreport.com/2021/12/13/diavol-ransomware/" -] +references = ["https://thedfirreport.com/2021/12/13/diavol-ransomware/"] risk_score = 47 rule_id = "b661f86d-1c23-4ce7-a59e-2edbdba28247" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -43,13 +53,13 @@ framework = "MITRE ATT&CK" id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml index 52f0314e2..a91ceeef2 100644 --- a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml +++ b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml @@ -2,9 +2,7 @@ creation_date = "2021/11/27" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -34,7 +32,13 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_wireless_creds_dumping.toml b/rules/windows/credential_access_wireless_creds_dumping.toml index f8e76dc7d..a119ff108 100644 --- a/rules/windows/credential_access_wireless_creds_dumping.toml +++ b/rules/windows/credential_access_wireless_creds_dumping.toml @@ -2,9 +2,7 @@ creation_date = "2022/11/01" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -36,7 +34,13 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu author = ["Elastic"] description = "Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Wireless Credential Dumping using Netsh Command" @@ -96,7 +100,7 @@ tags = [ "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index 131316e93..d11eb4a92 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,11 +29,18 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Adding Hidden File Attribute via Attrib" @@ -95,7 +100,16 @@ This rule looks for the execution of the `attrib.exe` utility with a command lin risk_score = 21 rule_id = "4630d948-40d4-4cef-ac69-4002e29bc3db" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" @@ -110,6 +124,16 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1222" +name = "File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/" +[[rule.threat.technique.subtechnique]] +id = "T1222.001" +name = "Windows File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/001/" + + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" @@ -119,15 +143,6 @@ id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" -[[rule.threat.technique]] -id = "T1222" -name = "File and Directory Permissions Modification" -reference = "https://attack.mitre.org/techniques/T1222/" - -[[rule.threat.technique.subtechnique]] -id = "T1222.001" -name = "Windows File and Directory Permissions Modification" -reference = "https://attack.mitre.org/techniques/T1222/001/" [rule.threat.tactic] diff --git a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml index 8d05f7533..3ffb21410 100644 --- a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml +++ b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/17" integration = ["windows", "endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -39,7 +37,13 @@ Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusu attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Suspicious Antimalware Scan Interface DLL" @@ -104,7 +108,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: SentinelOne" + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_amsi_bypass_powershell.toml b/rules/windows/defense_evasion_amsi_bypass_powershell.toml index 426c4af72..09965632f 100644 --- a/rules/windows/defense_evasion_amsi_bypass_powershell.toml +++ b/rules/windows/defense_evasion_amsi_bypass_powershell.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -99,7 +97,14 @@ references = ["https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell"] risk_score = 73 rule_id = "1f0a69c0-3392-4adf-b7d5-6012fd292da8" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/defense_evasion_amsienable_key_mod.toml b/rules/windows/defense_evasion_amsienable_key_mod.toml index 179b65d04..c4c9d6463 100644 --- a/rules/windows/defense_evasion_amsienable_key_mod.toml +++ b/rules/windows/defense_evasion_amsienable_key_mod.toml @@ -2,9 +2,7 @@ creation_date = "2021/06/01" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -90,7 +88,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Sysmon" + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" @@ -108,6 +106,11 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" @@ -117,10 +120,6 @@ id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" [rule.threat.tactic] diff --git a/rules/windows/defense_evasion_clearing_windows_console_history.toml b/rules/windows/defense_evasion_clearing_windows_console_history.toml index 655e82fbc..02cf01896 100644 --- a/rules/windows/defense_evasion_clearing_windows_console_history.toml +++ b/rules/windows/defense_evasion_clearing_windows_console_history.toml @@ -2,9 +2,7 @@ creation_date = "2021/11/22" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] @@ -13,7 +11,13 @@ Identifies when a user attempts to clear console history. An adversary may clear account to conceal the actions undertaken during an intrusion. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Clearing Windows Console History" @@ -72,7 +76,7 @@ tags = [ "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" @@ -103,8 +107,6 @@ reference = "https://attack.mitre.org/techniques/T1070/003/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index 57e7f0489..4f102d07c 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies attempts to clear or disable Windows event log stores using Windows w attackers in an attempt to evade detection or destroy forensic evidence on a system. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Clearing Windows Event Logs" @@ -67,7 +71,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" @@ -104,6 +108,7 @@ name = "Disable Windows Event Logging" reference = "https://attack.mitre.org/techniques/T1562/002/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_clearing_windows_security_logs.toml b/rules/windows/defense_evasion_clearing_windows_security_logs.toml index d3107aaac..00c645b62 100644 --- a/rules/windows/defense_evasion_clearing_windows_security_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_security_logs.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/12" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/12/14" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Anabella Cristaldi"] @@ -51,7 +49,13 @@ This rule looks for the occurrence of clear actions on the `security` event log. risk_score = 21 rule_id = "45ac4800-840f-414c-b221-53dd36a5aaf7" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml b/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml index 6115b3c49..6ab65745a 100644 --- a/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml +++ b/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml @@ -2,32 +2,41 @@ creation_date = "2023/01/31" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] label = "Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, +issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = +authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") """ [[transform.osquery]] label = "Osquery - Retrieve All Unsigned Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, +issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = +authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" """ + [rule] author = ["Elastic"] description = """ -Identifies attempts to disable/modify the code signing policy through system native utilities. Code signing provides -authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. -By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code. +Identifies attempts to disable/modify the code signing policy through system native utilities. Code signing provides +authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By +allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Code Signing Policy Modification Through Built-in tools" @@ -89,7 +98,7 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" @@ -100,6 +109,7 @@ process where host.os.type == "windows" and event.type == "start" and process.args: ("TESTSIGNING", "nointegritychecks", "loadoptions", "DISABLE_INTEGRITY_CHECKS") ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -117,3 +127,4 @@ reference = "https://attack.mitre.org/techniques/T1553/006/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml index 83818ee7c..e78e90576 100644 --- a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml +++ b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml @@ -2,29 +2,32 @@ creation_date = "2023/01/31" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] label = "Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, +issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = +authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") """ [[transform.osquery]] label = "Osquery - Retrieve All Unsigned Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, +issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = +authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" """ + [rule] author = ["Elastic"] description = """ Identifies attempts to disable the code signing policy through the registry. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the -execution of unsigned or self-signed code, threat actors can craft and execute malicious code. +execution of unsigned or self-signed code, threat actors can craft and execute malicious code. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"] @@ -90,7 +93,7 @@ tags = [ "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", - "Data Source: Sysmon" + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" @@ -108,8 +111,14 @@ registry where host.os.type == "windows" and event.type : ("creation", "change") ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + [[rule.threat.technique]] id = "T1553" name = "Subvert Trust Controls" @@ -119,12 +128,10 @@ id = "T1553.006" name = "Code Signing Policy Modification" reference = "https://attack.mitre.org/techniques/T1553/006/" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_create_mod_root_certificate.toml b/rules/windows/defense_evasion_create_mod_root_certificate.toml index e04efcaf0..dab7b4aa1 100644 --- a/rules/windows/defense_evasion_create_mod_root_certificate.toml +++ b/rules/windows/defense_evasion_create_mod_root_certificate.toml @@ -2,9 +2,7 @@ creation_date = "2021/02/01" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -87,7 +85,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Sysmon" + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_cve_2020_0601.toml b/rules/windows/defense_evasion_cve_2020_0601.toml index 1a8d0b4c3..c4c34892c 100644 --- a/rules/windows/defense_evasion_cve_2020_0601.toml +++ b/rules/windows/defense_evasion_cve_2020_0601.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/19" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,7 +18,13 @@ name = "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)" risk_score = 21 rule_id = "56557cde-d923-4b88-adee-c61b3f3b5dc3" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Use Case: Vulnerability"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Use Case: Vulnerability", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/defense_evasion_defender_disabled_via_registry.toml b/rules/windows/defense_evasion_defender_disabled_via_registry.toml index 692f95c45..7e37b32b7 100644 --- a/rules/windows/defense_evasion_defender_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_defender_disabled_via_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -74,7 +72,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Sysmon" + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" @@ -111,6 +109,11 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" @@ -125,10 +128,6 @@ id = "T1562.006" name = "Indicator Blocking" reference = "https://attack.mitre.org/techniques/T1562/006/" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" [rule.threat.tactic] diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index 5153f7fac..b85e2970d 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/20" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies modifications to the Windows Defender configuration settings using Po directory or process level. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Windows Defender Exclusions Added via PowerShell" @@ -85,7 +89,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml index d5f5f8371..d124e4493 100644 --- a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is of files created during post-exploitation activities. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Delete Volume USN Journal with Fsutil" @@ -52,7 +56,15 @@ Consider using the Elastic Defend integration instead of USN Journal, as the Ela risk_score = 21 rule_id = "f675872f-6d85-40a3-b502-c0d2ef101e92" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_disable_nla.toml b/rules/windows/defense_evasion_disable_nla.toml index 3097f5234..0ce5ab808 100644 --- a/rules/windows/defense_evasion_disable_nla.toml +++ b/rules/windows/defense_evasion_disable_nla.toml @@ -2,17 +2,16 @@ creation_date = "2023/08/25" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies the attempt to disable Network-Level Authentication (NLA) via registry modification. Network Level Authentication (NLA) is a feature on Windows -that provides an extra layer of security for Remote Desktop (RDP) connections, as it requires users to authenticate -before allowing a full RDP session. Attackers can disable NLA to enable persistence methods that require access to the -Windows sign-in screen without authenticating, such as Accessibility Features persistence methods, like Sticky Keys. +Identifies the attempt to disable Network-Level Authentication (NLA) via registry modification. Network Level +Authentication (NLA) is a feature on Windows that provides an extra layer of security for Remote Desktop (RDP) +connections, as it requires users to authenticate before allowing a full RDP session. Attackers can disable NLA to +enable persistence methods that require access to the Windows sign-in screen without authenticating, such as +Accessibility Features persistence methods, like Sticky Keys. """ from = "now-9m" index = ["logs-endpoint.events.registry-*", "endgame-*"] @@ -25,7 +24,14 @@ references = [ risk_score = 21 rule_id = "db65f5ba-d1ef-4944-b9e8-7e51060c2b42" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml index 1cd8b9166..1a44c9d57 100644 --- a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml +++ b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/31" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -71,7 +69,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Sysmon" + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" @@ -87,6 +85,11 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" @@ -96,10 +99,6 @@ id = "T1562.002" name = "Disable Windows Event Logging" reference = "https://attack.mitre.org/techniques/T1562/002/" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" [rule.threat.tactic] diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index 9cf70208d..c99887329 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies use of the netsh.exe to disable or weaken the local firewall. Attacke disable the firewall during troubleshooting or to enable network mobility. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Disable Windows Firewall Rules via Netsh" @@ -65,7 +69,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml index aaf6ed107..9474e98a6 100644 --- a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml +++ b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml @@ -2,16 +2,20 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = "Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings." false_positives = ["Planned Windows Defender configuration changes."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Disabling Windows Defender Security Settings via PowerShell" @@ -74,7 +78,7 @@ tags = [ "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" @@ -106,7 +110,6 @@ reference = "https://attack.mitre.org/techniques/T1562/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_disabling_windows_logs.toml b/rules/windows/defense_evasion_disabling_windows_logs.toml index 88f47c921..a94a693fc 100644 --- a/rules/windows/defense_evasion_disabling_windows_logs.toml +++ b/rules/windows/defense_evasion_disabling_windows_logs.toml @@ -2,9 +2,7 @@ creation_date = "2021/05/06" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Ivan Ninichuck", "Austin Songer"] @@ -13,7 +11,13 @@ Identifies attempts to disable EventLog via the logman Windows utility, PowerShe attackers in an attempt to evade detection on a system. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Disable Windows Event and Security Logs Using Built-in Tools" @@ -70,7 +74,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" @@ -106,7 +110,6 @@ reference = "https://attack.mitre.org/techniques/T1070/001/" id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] id = "T1562.002" name = "Disable Windows Event Logging" diff --git a/rules/windows/defense_evasion_dns_over_https_enabled.toml b/rules/windows/defense_evasion_dns_over_https_enabled.toml index a209f05fa..b86746d1b 100644 --- a/rules/windows/defense_evasion_dns_over_https_enabled.toml +++ b/rules/windows/defense_evasion_dns_over_https_enabled.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/22" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] @@ -33,7 +31,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -50,16 +56,16 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index d27ad7f98..f1c529bde 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -2,18 +2,22 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies executions of .NET compilers with suspicious parent processes, which can indicate an attacker's attempt -to compile code after delivery in order to bypass security mechanisms. +Identifies executions of .NET compilers with suspicious parent processes, which can indicate an attacker's attempt to +compile code after delivery in order to bypass security mechanisms. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Suspicious .NET Code Compilation" @@ -28,7 +32,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -56,8 +68,6 @@ reference = "https://attack.mitre.org/techniques/T1027/004/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml index 31981e2ba..ef508310c 100644 --- a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies use of the network shell utility (netsh.exe) to enable inbound Remote the Windows Firewall. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Remote Desktop Enabled in Windows Firewall by Netsh" @@ -71,7 +75,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml index a55b407c5..55e86511a 100644 --- a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ tool to weaken the host firewall settings. """ false_positives = ["Host Windows Firewall planned system administration changes."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Enable Host Network Discovery via Netsh" @@ -67,7 +71,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml index e0a6b81cd..4a9253a1d 100644 --- a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml +++ b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml @@ -2,9 +2,7 @@ creation_date = "2021/09/08" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies unusual instances of Control Panel with suspicious keywords or paths Adversaries may abuse control.exe to proxy execution of malicious code. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Control Panel Process with Unusual Arguments" @@ -29,14 +33,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml index ffffa6b44..08bbbf5ab 100644 --- a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml +++ b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -38,7 +37,13 @@ Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load as a defense evasion technique to blend-in malicious activity with legitimate Windows software. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "ImageLoad via Windows Update Auto Update Client" @@ -105,14 +110,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index 3db2d9399..0eae0465c 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -19,7 +17,13 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Microsoft Build Engine Started by an Office Application" @@ -93,7 +97,7 @@ tags = [ "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index 865691b85..254454f01 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -29,13 +27,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" @@ -46,26 +45,26 @@ host.os.type:windows and event.category:process and event.type:start and ( "wscript.exe" or "mshta.exe") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" - [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -74,10 +73,12 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" + [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" @@ -93,7 +94,8 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.name", "process.command_line"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index 23ac00853..5ff9a093d 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ Instrumentation) subsystem. This behavior is unusual and is sometimes used by ma """ false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Microsoft Build Engine Started by a System Process" @@ -29,14 +33,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index ce9964174..4be383084 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -114,7 +112,7 @@ tags = [ "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", - "Data Source: Sysmon" + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" @@ -137,6 +135,7 @@ id = "T1036.003" name = "Rename System Utilities" reference = "https://attack.mitre.org/techniques/T1036/003/" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index 2a3f2bad3..2ad746055 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -35,14 +33,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Defend" - ] - +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" @@ -51,19 +49,19 @@ host.os.type:windows and event.category:process and event.type:start and process process.name:("csc.exe" or "iexplore.exe" or "powershell.exe") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" - [[rule.threat.technique.subtechnique]] id = "T1027.004" name = "Compile After Delivery" reference = "https://attack.mitre.org/techniques/T1027/004/" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" @@ -83,7 +81,8 @@ reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.name"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml index 0cf09edbc..098ce0487 100644 --- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -29,15 +27,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml index 974b024e3..0b2228e76 100644 --- a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml +++ b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Dennis Perto"] @@ -33,15 +31,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_file_creation_mult_extension.toml b/rules/windows/defense_evasion_file_creation_mult_extension.toml index 570460585..e93afa811 100644 --- a/rules/windows/defense_evasion_file_creation_mult_extension.toml +++ b/rules/windows/defense_evasion_file_creation_mult_extension.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -29,7 +27,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_from_unusual_directory.toml b/rules/windows/defense_evasion_from_unusual_directory.toml index 4abc04cab..2c1f7f329 100644 --- a/rules/windows/defense_evasion_from_unusual_directory.toml +++ b/rules/windows/defense_evasion_from_unusual_directory.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/30" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -38,7 +37,13 @@ Identifies process execution from suspicious default Windows directories. This i malware in trusted paths. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Process Execution from an Unusual Directory" @@ -108,7 +113,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml index 59977ac9d..205ab2734 100644 --- a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml +++ b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,14 +11,28 @@ Identifies registry write modifications to hide an encoded portable executable. defense evasion by avoiding the storing of malicious content directly on disk. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Encoded Executable Stored in the Registry" risk_score = 47 rule_id = "93c1ce76-494c-4f01-8167-35edfb52f7b1" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index b22fb7fb3..5f00f7e7f 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/14" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies when Internet Information Services (IIS) HTTP Logging is disabled on access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" max_signals = 33 @@ -63,7 +67,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_injection_msbuild.toml b/rules/windows/defense_evasion_injection_msbuild.toml index aa9e5675f..802025652 100755 --- a/rules/windows/defense_evasion_injection_msbuild.toml +++ b/rules/windows/defense_evasion_injection_msbuild.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,7 +18,14 @@ name = "Process Injection by the Microsoft Build Engine" risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Privilege Escalation", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "query" @@ -46,6 +51,7 @@ name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_installutil_beacon.toml b/rules/windows/defense_evasion_installutil_beacon.toml index 87b368d79..eca5aea19 100644 --- a/rules/windows/defense_evasion_installutil_beacon.toml +++ b/rules/windows/defense_evasion_installutil_beacon.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,14 +11,26 @@ Identifies InstallUtil.exe making outbound network connections. This may indicat often leveraged by adversaries to execute code and evade detection. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] +index = [ + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "InstallUtil Process Making Network Connections" risk_score = 47 rule_id = "a13167f1-eec2-4015-9631-1fee60406dcf" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index 81a5bced8..16de53c64 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ A suspicious Endpoint Security parent process was detected. This may indicate a injection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Suspicious Endpoint Security Parent Process" @@ -28,7 +32,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -58,7 +69,6 @@ process where host.os.type == "windows" and event.type == "start" and "/enable" ) ) - ''' @@ -68,13 +78,13 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.005" name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_masquerading_business_apps_installer.toml b/rules/windows/defense_evasion_masquerading_business_apps_installer.toml index fcd53d91b..69125b3d1 100644 --- a/rules/windows/defense_evasion_masquerading_business_apps_installer.toml +++ b/rules/windows/defense_evasion_masquerading_business_apps_installer.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/01" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -24,7 +22,15 @@ references = [ risk_score = 21 rule_id = "feafdc51-c575-4ed2-89dd-8e20badc2d6c" severity = "low" -tags = ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Initial Access", "Tactic: Execution"] +tags = [ + "Domain: Endpoint", + "Data Source: Elastic Defend", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Initial Access", + "Tactic: Execution", +] timestamp_override = "event.ingested" type = "eql" @@ -165,7 +171,6 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -177,11 +182,11 @@ name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -194,7 +199,6 @@ reference = "https://attack.mitre.org/techniques/T1189/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_masquerading_communication_apps.toml b/rules/windows/defense_evasion_masquerading_communication_apps.toml index 160315743..cfb5fd3b6 100644 --- a/rules/windows/defense_evasion_masquerading_communication_apps.toml +++ b/rules/windows/defense_evasion_masquerading_communication_apps.toml @@ -2,9 +2,7 @@ creation_date = "2023/05/05" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,7 +18,13 @@ name = "Potential Masquerading as Communication Apps" risk_score = 47 rule_id = "c9482bfa-a553-4226-8ea2-4959bd4f7923" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -94,7 +98,6 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -106,12 +109,11 @@ name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -119,6 +121,7 @@ id = "T1554" name = "Compromise Client Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index d8cb62d5f..5aab79fc4 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/01" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -112,7 +110,7 @@ tags = [ "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", - "Data Source: Sysmon" + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml index bcfb84a7b..3cd557a08 100644 --- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ registry key manipulation. Verify process details such as command line, network """ false_positives = ["Custom Windows error reporting debugger or applications restarted by WerFault after a crash."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Suspicious WerFault Child Process" @@ -35,7 +39,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", +] timestamp_override = "event.ingested" type = "eql" @@ -63,8 +77,6 @@ reference = "https://attack.mitre.org/techniques/T1036/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -82,9 +94,6 @@ reference = "https://attack.mitre.org/techniques/T1546/012/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index 51d4f068c..53359cc1b 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ usually host trusted third party programs. An adversary may leverage masqueradin detections allowlisting those folders. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Program Files Directory Masquerading" @@ -29,7 +33,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_masquerading_werfault.toml b/rules/windows/defense_evasion_masquerading_werfault.toml index 10825bd5f..c4832f2ec 100644 --- a/rules/windows/defense_evasion_masquerading_werfault.toml +++ b/rules/windows/defense_evasion_masquerading_werfault.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -41,7 +39,12 @@ masquerading attempt to evade suspicious child process behavior detections. """ false_positives = ["Legit Application Crash with rare Werfault commandline value"] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Potential Windows Error Manager Masquerading" @@ -103,7 +106,15 @@ references = [ risk_score = 47 rule_id = "6ea41894-66c3-4df7-ad6b-2c5074eb3df8" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' @@ -121,13 +132,13 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.005" name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_microsoft_defender_tampering.toml b/rules/windows/defense_evasion_microsoft_defender_tampering.toml index 7a7fb3cde..013245ca2 100644 --- a/rules/windows/defense_evasion_microsoft_defender_tampering.toml +++ b/rules/windows/defense_evasion_microsoft_defender_tampering.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] @@ -76,7 +74,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -115,15 +121,16 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml index 23325449d..a7c4a5a81 100644 --- a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +++ b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -39,7 +38,12 @@ validation. Adversaries may use these binaries to 'live off the land' and execut application allowlists and signature validation. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Network Connection via Signed Binary" @@ -100,7 +104,15 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "63e65ec3-43b1-45b0-8f2d-45b34291dc44" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml index cd33fc5a3..7575aea34 100644 --- a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml +++ b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/12" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -83,7 +81,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Sysmon" + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_msbuild_making_network_connections.toml b/rules/windows/defense_evasion_msbuild_making_network_connections.toml index 526bde67f..ac7a2d074 100644 --- a/rules/windows/defense_evasion_msbuild_making_network_connections.toml +++ b/rules/windows/defense_evasion_msbuild_making_network_connections.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -38,7 +37,12 @@ Identifies MsBuild.exe making outbound network connections. This may indicate ad leveraged by adversaries to execute code and evade detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "MsBuild Making Network Connections" @@ -100,7 +104,15 @@ This rule looks for the `Msbuild.exe` utility execution, followed by a network c risk_score = 47 rule_id = "0e79980b-4250-4a50-a509-69294c14e84b" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_mshta_beacon.toml b/rules/windows/defense_evasion_mshta_beacon.toml index 114d561f4..16ce875c6 100644 --- a/rules/windows/defense_evasion_mshta_beacon.toml +++ b/rules/windows/defense_evasion_mshta_beacon.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,14 +11,26 @@ Identifies Mshta.exe making outbound network connections. This may indicate adve leveraged by adversaries to execute malicious scripts and evade detection. """ from = "now-20m" -index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] +index = [ + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Mshta Making Network Connections" risk_score = 47 rule_id = "c2d90150-0133-451c-a783-533e736c12d7" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_msxsl_network.toml b/rules/windows/defense_evasion_msxsl_network.toml index 0835894f9..714b28417 100644 --- a/rules/windows/defense_evasion_msxsl_network.toml +++ b/rules/windows/defense_evasion_msxsl_network.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,12 @@ Identifies msxsl.exe making a network connection. This may indicate adversarial by adversaries to execute malicious scripts and evade detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Network Connection via MsXsl" @@ -21,7 +24,14 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "b86afe07-0d98-4738-b15d-8d7465f95ff5" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml index b7a6daca8..d04c84fd6 100644 --- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -39,7 +37,12 @@ Identifies network activity from unexpected system applications. This may indica applications are often leveraged by adversaries to execute code and evade detection. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] +index = [ + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Unusual Network Activity from a Windows System Binary" @@ -100,7 +103,15 @@ This rule identifies network connections established by trusted developer utilit risk_score = 47 rule_id = "1fe3b299-fbb5-4657-a937-1d746f2c711a" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' @@ -166,6 +177,16 @@ sequence by process.entity_id with maxspan=5m [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" @@ -180,15 +201,7 @@ id = "T1218.005" name = "Mshta" reference = "https://attack.mitre.org/techniques/T1218/005/" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" -[[rule.threat.technique.subtechnique]] -id = "T1036.005" -name = "Match Legitimate Name or Location" -reference = "https://attack.mitre.org/techniques/T1036/005/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml index 2314ec54c..84aecaea7 100644 --- a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml +++ b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/14" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -21,7 +19,14 @@ references = ["https://blog.didierstevens.com/2017/03/20/"] risk_score = 73 rule_id = "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] type = "eql" query = ''' @@ -84,8 +89,6 @@ reference = "https://attack.mitre.org/techniques/T1134/004/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml index 7212b3125..181950d35 100644 --- a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml +++ b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml @@ -2,9 +2,7 @@ creation_date = "2022/11/01" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ default) and is set to 1, then remote connections from all local members of Admi high-integrity tokens during negotiation. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Local Account TokenFilter Policy Disabled" @@ -35,7 +39,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: SentinelOne" + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" @@ -66,8 +70,6 @@ reference = "https://attack.mitre.org/techniques/T1562/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_posh_encryption.toml b/rules/windows/defense_evasion_posh_encryption.toml index 6dde3fa66..985ce93b1 100644 --- a/rules/windows/defense_evasion_posh_encryption.toml +++ b/rules/windows/defense_evasion_posh_encryption.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/23" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -51,7 +49,14 @@ PowerShell offers encryption and decryption functionalities that attackers can a risk_score = 47 rule_id = "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/defense_evasion_posh_process_injection.toml b/rules/windows/defense_evasion_posh_process_injection.toml index 9ab8e5502..bac16ac48 100644 --- a/rules/windows/defense_evasion_posh_process_injection.toml +++ b/rules/windows/defense_evasion_posh_process_injection.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/14" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -83,7 +81,15 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" @@ -122,7 +128,6 @@ reference = "https://attack.mitre.org/techniques/T1055/002/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml index edafb0b5a..abd9a87b4 100644 --- a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml +++ b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/15" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] @@ -82,7 +80,7 @@ tags = [ "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" @@ -113,7 +111,6 @@ reference = "https://attack.mitre.org/techniques/T1562/004/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml index 105d94c93..5ed21ba1c 100644 --- a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml +++ b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -95,7 +94,15 @@ This rule identifies an unsigned process termination event quickly followed by t risk_score = 47 rule_id = "09443c92-46b3-45a4-8f25-383b028b258d" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] type = "eql" query = ''' @@ -129,12 +136,12 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" diff --git a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml index e7df54ffa..debc6c67d 100644 --- a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml +++ b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml @@ -2,9 +2,7 @@ creation_date = "2022/05/31" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,7 +30,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_root_dir_ads_creation.toml b/rules/windows/defense_evasion_root_dir_ads_creation.toml index f412479a2..f3e782745 100644 --- a/rules/windows/defense_evasion_root_dir_ads_creation.toml +++ b/rules/windows/defense_evasion_root_dir_ads_creation.toml @@ -2,18 +2,21 @@ creation_date = "2024/03/14" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies the creation of an Alternate Data Stream (ADS) at a volume root directory, which can indicate the -attempt to hide tools and malware, as ADSs created in this directory are not displayed by system utilities. +Identifies the creation of an Alternate Data Stream (ADS) at a volume root directory, which can indicate the attempt to +hide tools and malware, as ADSs created in this directory are not displayed by system utilities. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Alternate Data Stream Creation/Execution at Volume Root Directory" @@ -21,7 +24,14 @@ references = ["https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomwa risk_score = 47 rule_id = "ff6cf8b9-b76c-4cc1-ac1b-4935164d1029" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_rundll32_no_arguments.toml b/rules/windows/defense_evasion_rundll32_no_arguments.toml index 3905a429f..05f502734 100644 --- a/rules/windows/defense_evasion_rundll32_no_arguments.toml +++ b/rules/windows/defense_evasion_rundll32_no_arguments.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -102,7 +101,14 @@ RunDLL32 is a legitimate Windows utility used to load and execute functions with risk_score = 73 rule_id = "f036953a-4615-4707-a1ca-dc53bf69dcd5" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_sccm_scnotification_dll.toml b/rules/windows/defense_evasion_sccm_scnotification_dll.toml index faa114dbc..8abfbc372 100644 --- a/rules/windows/defense_evasion_sccm_scnotification_dll.toml +++ b/rules/windows/defense_evasion_sccm_scnotification_dll.toml @@ -2,9 +2,7 @@ creation_date = "2024/04/17" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/17" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -19,12 +17,18 @@ license = "Elastic License v2" name = "Potential Windows Session Hijacking via CcmExec" references = [ "https://cloud.google.com/blog/topics/threat-intelligence/windows-session-hijacking-via-ccmexec", - "https://mayfly277.github.io/posts/SCCM-LAB-part0x3/#impersonate-users---revshell-connected-users" + "https://mayfly277.github.io/posts/SCCM-LAB-part0x3/#impersonate-users---revshell-connected-users", ] risk_score = 47 rule_id = "e7357fec-6e9c-41b9-b93d-6e4fc40c7d47" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml index 0c7d058f1..505aec53d 100644 --- a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml +++ b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -30,7 +28,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -60,21 +67,19 @@ reference = "https://attack.mitre.org/techniques/T1562/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.002" name = "At" reference = "https://attack.mitre.org/techniques/T1053/002/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index 256dea76f..de7148408 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -52,7 +50,17 @@ This rule identifies file name patterns generated by the use of SDelete utility risk_score = 21 rule_id = "5aee924b-6ceb-4633-980e-1bde8cdb40c5" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Impact", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Impact", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -78,8 +86,6 @@ reference = "https://attack.mitre.org/techniques/T1070/004/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_sip_provider_mod.toml b/rules/windows/defense_evasion_sip_provider_mod.toml index bb329324f..95c8ab246 100644 --- a/rules/windows/defense_evasion_sip_provider_mod.toml +++ b/rules/windows/defense_evasion_sip_provider_mod.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/20" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -22,7 +20,15 @@ references = ["https://github.com/mattifestation/PoCSubjectInterfacePackage"] risk_score = 47 rule_id = "f2c7b914-eda3-40c2-96ac-d23ef91776ca" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml index bc4bbd38f..cf10b147d 100644 --- a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -31,7 +29,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Initial Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -54,6 +61,11 @@ registry where host.os.type == "windows" and registry.path : ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" @@ -64,10 +76,6 @@ name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_suspicious_certutil_commands.toml b/rules/windows/defense_evasion_suspicious_certutil_commands.toml index fc5d2252d..6b2f2843b 100644 --- a/rules/windows/defense_evasion_suspicious_certutil_commands.toml +++ b/rules/windows/defense_evasion_suspicious_certutil_commands.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic", "Austin Songer"] description = """ @@ -39,7 +38,13 @@ Certificate Services. CertUtil is often abused by attackers to live off the land data exfiltration. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Suspicious CertUtil Commands" @@ -102,7 +107,15 @@ references = [ risk_score = 47 rule_id = "fd70c98a-c410-42dc-a2e3-761c71848acf" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml index 2408f6bf6..835c75dc5 100644 --- a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml +++ b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml @@ -2,9 +2,7 @@ creation_date = "2021/05/28" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,7 +30,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -78,7 +84,6 @@ framework = "MITRE ATT&CK" id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" diff --git a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml index 20706f7bb..3ed7d721f 100644 --- a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml +++ b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -17,11 +15,20 @@ index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_ope language = "eql" license = "Elastic License v2" name = "Suspicious Managed Code Hosting Process" -references = ["http://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html"] +references = [ + "http://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", +] risk_score = 73 rule_id = "acf738b5-b5b2-4acc-bad9-1e18ee234f40" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml index c10a9e070..d38e017d6 100644 --- a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml +++ b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/11" integration = ["windows"] maturity = "production" -min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." -min_stack_version = "8.8.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -113,7 +111,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -153,10 +159,8 @@ reference = "https://attack.mitre.org/techniques/T1055/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1106" name = "Native API" diff --git a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml index b2a164535..d4c4fb10d 100644 --- a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml +++ b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/24" integration = ["windows"] maturity = "production" -min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." -min_stack_version = "8.8.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -48,7 +46,14 @@ Attackers may inject code into child processes' memory to hide their actual acti risk_score = 47 rule_id = "3ed032b2-45d8-4406-bc79-7ad1eabb2c72" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_suspicious_scrobj_load.toml b/rules/windows/defense_evasion_suspicious_scrobj_load.toml index d852a4742..1011838ee 100644 --- a/rules/windows/defense_evasion_suspicious_scrobj_load.toml +++ b/rules/windows/defense_evasion_suspicious_scrobj_load.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,7 +18,14 @@ name = "Suspicious Script Object Execution" risk_score = 47 rule_id = "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -57,13 +62,13 @@ framework = "MITRE ATT&CK" id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [[rule.threat.technique.subtechnique]] id = "T1218.010" name = "Regsvr32" reference = "https://attack.mitre.org/techniques/T1218/010/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_suspicious_short_program_name.toml b/rules/windows/defense_evasion_suspicious_short_program_name.toml index ecb739594..75210439c 100644 --- a/rules/windows/defense_evasion_suspicious_short_program_name.toml +++ b/rules/windows/defense_evasion_suspicious_short_program_name.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,10 +29,13 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ -Identifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name. +Identifies the execution of a process with a single character process name, differing from the original file name. This +is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based +on the process name. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"] @@ -92,7 +93,16 @@ Identifies the execution of a process with a single character process name, diff risk_score = 47 rule_id = "17c7f6a5-5bc9-4e1f-92bf-13632d24384d" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_suspicious_wmi_script.toml b/rules/windows/defense_evasion_suspicious_wmi_script.toml index 789fd5132..b10b97989 100644 --- a/rules/windows/defense_evasion_suspicious_wmi_script.toml +++ b/rules/windows/defense_evasion_suspicious_wmi_script.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,14 +11,27 @@ Identifies WMIC allowlist bypass techniques by alerting on suspicious execution libraries it may be indicative of an allowlist bypass. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.library-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Suspicious WMIC XSL Script Execution" risk_score = 47 rule_id = "7f370d54-c0eb-4270-ac5a-9a6020585dc6" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' @@ -46,15 +57,14 @@ reference = "https://attack.mitre.org/techniques/T1220/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index f49c65712..b8baa796c 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -39,7 +37,14 @@ A suspicious Zoom child process was detected, which may indicate an attempt to r such as command line, network connections, file writes and associated file signature details as well. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Suspicious Zoom Child Process" @@ -97,7 +102,17 @@ This rule identifies a potential malicious process masquerading as `Zoom.exe` or risk_score = 47 rule_id = "97aba1ef-6034-4bd3-8c1a-1e0996b27afa" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: SentinelOne"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", +] timestamp_override = "event.ingested" type = "eql" @@ -124,7 +139,6 @@ reference = "https://attack.mitre.org/techniques/T1055/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -137,3 +151,4 @@ reference = "https://attack.mitre.org/techniques/T1203/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index 21c674aa7..a3a278e09 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/19" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -113,7 +111,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Sysmon" + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" @@ -145,7 +143,6 @@ reference = "https://attack.mitre.org/techniques/T1211/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_timestomp_sysmon.toml b/rules/windows/defense_evasion_timestomp_sysmon.toml index 002dc8452..827fb4c7a 100644 --- a/rules/windows/defense_evasion_timestomp_sysmon.toml +++ b/rules/windows/defense_evasion_timestomp_sysmon.toml @@ -2,16 +2,14 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies modification of a file creation time. Adversaries may modify file time attributes to blend -malicious content with existing files. Timestomping is a technique that modifies the timestamps of -a file often to mimic files that are in trusted directories. +Identifies modification of a file creation time. Adversaries may modify file time attributes to blend malicious content +with existing files. Timestomping is a technique that modifies the timestamps of a file often to mimic files that are in +trusted directories. """ from = "now-9m" index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"] @@ -26,7 +24,7 @@ tags = [ "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", - "Data Source: Sysmon" + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" @@ -68,7 +66,9 @@ name = "Timestomp" reference = "https://attack.mitre.org/techniques/T1070/006/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml b/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml index f1a0df195..052d4bb6f 100644 --- a/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml +++ b/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml @@ -1,17 +1,15 @@ [metadata] creation_date = "2022/11/22" -maturity = "production" integration = ["endpoint"] -min_stack_comments = "New fields added: dll.Ext.relative_file_creation_time is populated in Elastic Endpoint 8.4 and above." -min_stack_version = "8.4.0" -updated_date = "2024/03/28" +maturity = "production" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted -program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading -a malicious DLL within the memory space of a signed processes. +program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a +malicious DLL within the memory space of a signed processes. """ from = "now-9m" index = ["logs-endpoint.events.library-*"] @@ -29,7 +27,13 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -126,12 +130,12 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" diff --git a/rules/windows/defense_evasion_untrusted_driver_loaded.toml b/rules/windows/defense_evasion_untrusted_driver_loaded.toml index 3e5574298..dcf13aab5 100644 --- a/rules/windows/defense_evasion_untrusted_driver_loaded.toml +++ b/rules/windows/defense_evasion_untrusted_driver_loaded.toml @@ -2,27 +2,31 @@ creation_date = "2023/01/27" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/15" +updated_date = "2024/05/21" [transform] [[transform.osquery]] label = "Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, +issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = +authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") """ [[transform.osquery]] label = "Osquery - Retrieve All Unsigned Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, +issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = +authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" """ + [rule] author = ["Elastic"] description = """ -Identifies attempt to load an untrusted driver. Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. +Identifies attempt to load an untrusted driver. Adversaries may modify code signing policies to enable execution of +unsigned or self-signed code. """ from = "now-9m" index = ["logs-endpoint.events.library-*"] @@ -89,13 +93,20 @@ This rule identifies an attempt to load an untrusted driver, which effectively m - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = [ - "https://github.com/hfiref0x/TDL", - "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN" + "https://github.com/hfiref0x/TDL", + "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN", ] risk_score = 73 rule_id = "d8ab1ec1-feeb-48b9-89e7-c12e189448aa" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -112,12 +123,13 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml index 5a30ad134..8379392ab 100644 --- a/rules/windows/defense_evasion_unusual_ads_file_creation.toml +++ b/rules/windows/defense_evasion_unusual_ads_file_creation.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -110,7 +108,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_unusual_dir_ads.toml b/rules/windows/defense_evasion_unusual_dir_ads.toml index 2919e8d50..5e0ec96e2 100644 --- a/rules/windows/defense_evasion_unusual_dir_ads.toml +++ b/rules/windows/defense_evasion_unusual_dir_ads.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -28,7 +26,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml index c5d82124d..18f0e76af 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml @@ -2,9 +2,7 @@ creation_date = "2021/05/28" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,12 @@ Identifies unusual instances of dllhost.exe making outbound network connections. and Control activity. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Unusual Network Connection via DllHost" @@ -25,7 +28,14 @@ references = [ risk_score = 47 rule_id = "c7894234-7814-44c2-92a9-f7d851ea246a" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml index 17ce9288d..90e8da270 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,12 @@ Identifies unusual instances of rundll32.exe making outbound network connections and Control activity. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Unusual Network Connection via RunDLL32" @@ -56,7 +59,16 @@ references = [ risk_score = 47 rule_id = "52aaab7b-b51c-441a-89ce-4387b3aea886" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' @@ -105,3 +117,4 @@ reference = "https://attack.mitre.org/techniques/T1071/001/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/windows/defense_evasion_unusual_process_network_connection.toml b/rules/windows/defense_evasion_unusual_process_network_connection.toml index dfa44ae72..42fa32b52 100644 --- a/rules/windows/defense_evasion_unusual_process_network_connection.toml +++ b/rules/windows/defense_evasion_unusual_process_network_connection.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,12 @@ Identifies network activity from unexpected system applications. This may indica applications are often leveraged by adversaries to execute code and evade detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Unusual Process Network Connection" @@ -47,7 +50,15 @@ This rule identifies network activity from unexpected system utilities and appli risk_score = 21 rule_id = "610949a1-312f-4e04-bb55-3a79b8c95267" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml index f1d993e1d..3a55105d4 100644 --- a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml +++ b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml @@ -2,15 +2,19 @@ creation_date = "2020/08/19" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Unusual Child Process from a System Virtual Process" @@ -25,7 +29,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml index 48df9e961..4369e04cd 100644 --- a/rules/windows/defense_evasion_via_filter_manager.toml +++ b/rules/windows/defense_evasion_via_filter_manager.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -38,7 +37,13 @@ The Filter Manager Control Program (fltMC.exe) binary may be abused by adversari defenses. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Potential Evasion via Filter Manager" @@ -97,7 +102,15 @@ This rule identifies the attempt to unload a minifilter using the `fltmc.exe` co risk_score = 47 rule_id = "06dceabf-adca-48af-ac79-ffdf4c3b1e9a" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_windows_filtering_platform.toml b/rules/windows/defense_evasion_windows_filtering_platform.toml index b342d8df3..4c31c6f20 100644 --- a/rules/windows/defense_evasion_windows_filtering_platform.toml +++ b/rules/windows/defense_evasion_windows_filtering_platform.toml @@ -2,16 +2,13 @@ creation_date = "2023/12/15" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies multiple Windows Filtering Platform block events and where the process name is related to -an endpoint security software. Adversaries may add malicious WFP rules to prevent Endpoint security -from sending telemetry. +Identifies multiple Windows Filtering Platform block events and where the process name is related to an endpoint +security software. Adversaries may add malicious WFP rules to prevent Endpoint security from sending telemetry. """ from = "now-9m" index = ["winlogbeat-*", "logs-windows.network-*", "logs-system.security-*"] @@ -19,11 +16,11 @@ language = "eql" license = "Elastic License v2" name = "Potential Evasion via Windows Filtering Platform" references = [ - "https://github.com/dsnezhkov/shutter/tree/main", - "https://github.com/netero1010/EDRSilencer/tree/main", - "https://www.mdsec.co.uk/2023/09/nighthawk-0-2-6-three-wise-monkeys/", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5157", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5152" + "https://github.com/dsnezhkov/shutter/tree/main", + "https://github.com/netero1010/EDRSilencer/tree/main", + "https://www.mdsec.co.uk/2023/09/nighthawk-0-2-6-three-wise-monkeys/", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5157", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5152", ] risk_score = 47 rule_id = "92d3a04e-6487-4b62-892d-70e640a590dc" @@ -49,7 +46,7 @@ tags = [ "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] type = "eql" @@ -116,3 +113,4 @@ reference = "https://attack.mitre.org/techniques/T1562/004/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_workfolders_control_execution.toml b/rules/windows/defense_evasion_workfolders_control_execution.toml index d7151581b..a301336e8 100644 --- a/rules/windows/defense_evasion_workfolders_control_execution.toml +++ b/rules/windows/defense_evasion_workfolders_control_execution.toml @@ -2,9 +2,7 @@ creation_date = "2022/03/02" integration = ["windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/01/16" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/defense_evasion_wsl_bash_exec.toml b/rules/windows/defense_evasion_wsl_bash_exec.toml index 56e4efaee..65ad3cc71 100644 --- a/rules/windows/defense_evasion_wsl_bash_exec.toml +++ b/rules/windows/defense_evasion_wsl_bash_exec.toml @@ -2,30 +2,42 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable -and use WSL for Linux to avoid detection. +Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to +avoid detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Suspicious Execution via Windows Subsystem for Linux" references = [ "https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", - "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1" + "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1", ] risk_score = 21 rule_id = "3e0eeb75-16e8-4f2f-9826-62461ca128b7" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -57,24 +69,26 @@ id = "T1202" name = "Indirect Command Execution" reference = "https://attack.mitre.org/techniques/T1202/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + - [[rule.threat.technique.subtechnique]] - id = "T1059.004" - name = "Unix Shell" - reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_wsl_child_process.toml b/rules/windows/defense_evasion_wsl_child_process.toml index add8d5f51..05204c9c8 100644 --- a/rules/windows/defense_evasion_wsl_child_process.toml +++ b/rules/windows/defense_evasion_wsl_child_process.toml @@ -2,18 +2,22 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Detects attempts to execute a program on the host from the Windows Subsystem for Linux. -Adversaries may enable and use WSL for Linux to avoid detection. +Detects attempts to execute a program on the host from the Windows Subsystem for Linux. Adversaries may enable and use +WSL for Linux to avoid detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Execution via Windows Subsystem for Linux" @@ -21,7 +25,14 @@ references = ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"] risk_score = 47 rule_id = "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -52,3 +63,4 @@ reference = "https://attack.mitre.org/techniques/T1202/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml index a1b8f65de..420fb3249 100644 --- a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml +++ b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml @@ -2,18 +2,22 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Detects attempts to enable the Windows Subsystem for Linux using Microsoft Dism utility. Adversaries may enable -and use WSL for Linux to avoid detection. +Detects attempts to enable the Windows Subsystem for Linux using Microsoft Dism utility. Adversaries may enable and use +WSL for Linux to avoid detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Windows Subsystem for Linux Enabled via Dism Utility" @@ -57,7 +61,14 @@ references = ["https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux risk_score = 47 rule_id = "e2e0537d-7d8f-4910-a11d-559bcf61295a" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -75,7 +86,9 @@ id = "T1202" name = "Indirect Command Execution" reference = "https://attack.mitre.org/techniques/T1202/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_wsl_filesystem.toml b/rules/windows/defense_evasion_wsl_filesystem.toml index 013c926ff..afcf4dfd1 100644 --- a/rules/windows/defense_evasion_wsl_filesystem.toml +++ b/rules/windows/defense_evasion_wsl_filesystem.toml @@ -2,18 +2,21 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/04/08" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Detects files creation and modification on the host system from the the Windows Subsystem for Linux. -Adversaries may enable and use WSL for Linux to avoid detection. +Detects files creation and modification on the host system from the the Windows Subsystem for Linux. Adversaries may +enable and use WSL for Linux to avoid detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Host Files System Changes via Windows Subsystem for Linux" @@ -21,7 +24,15 @@ references = ["https://github.com/microsoft/WSL"] risk_score = 47 rule_id = "e88d1fe9-b2f4-48d4-bace-a026dc745d4b" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -47,3 +58,4 @@ reference = "https://attack.mitre.org/techniques/T1202/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_wsl_kalilinux.toml b/rules/windows/defense_evasion_wsl_kalilinux.toml index cc0e4849b..7a9d1eb04 100644 --- a/rules/windows/defense_evasion_wsl_kalilinux.toml +++ b/rules/windows/defense_evasion_wsl_kalilinux.toml @@ -2,18 +2,22 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Detects attempts to install or use Kali Linux via Windows Subsystem for Linux. Adversaries may -enable and use WSL for Linux to avoid detection. +Detects attempts to install or use Kali Linux via Windows Subsystem for Linux. Adversaries may enable and use WSL for +Linux to avoid detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Attempt to Install Kali Linux via WSL" @@ -21,7 +25,14 @@ references = ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"] risk_score = 73 rule_id = "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -49,3 +60,4 @@ reference = "https://attack.mitre.org/techniques/T1202/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_wsl_registry_modification.toml b/rules/windows/defense_evasion_wsl_registry_modification.toml index fe267a4a6..0908de4d3 100644 --- a/rules/windows/defense_evasion_wsl_registry_modification.toml +++ b/rules/windows/defense_evasion_wsl_registry_modification.toml @@ -2,15 +2,13 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Detects changes to the registry that indicates the install of a new Windows Subsystem for Linux -distribution by name. Adversaries may enable and use WSL for Linux to avoid detection. +Detects changes to the registry that indicates the install of a new Windows Subsystem for Linux distribution by name. +Adversaries may enable and use WSL for Linux to avoid detection. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"] @@ -58,7 +56,15 @@ references = ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"] risk_score = 47 rule_id = "a1699af0-8e1e-4ed0-8ec1-89783538a061" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timeline_id = "3e47ef71-ebfc-4520-975c-cb27fc090799" timeline_title = "Comprehensive Registry Timeline" timestamp_override = "event.ingested" @@ -89,3 +95,4 @@ reference = "https://attack.mitre.org/techniques/T1202/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/discovery_active_directory_webservice.toml b/rules/windows/discovery_active_directory_webservice.toml index 18fbaab7b..e43e63aa6 100644 --- a/rules/windows/discovery_active_directory_webservice.toml +++ b/rules/windows/discovery_active_directory_webservice.toml @@ -2,15 +2,13 @@ creation_date = "2024/01/31" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies processes loading Active Directory related modules followed by a network connection to the ADWS dedicated TCP port. -Adversaries may abuse the ADWS Windows service that allows Active Directory to be queried via this web service. +Identifies processes loading Active Directory related modules followed by a network connection to the ADWS dedicated TCP +port. Adversaries may abuse the ADWS Windows service that allows Active Directory to be queried via this web service. """ from = "now-9m" index = ["logs-endpoint.events.library-*", "logs-endpoint.events.network-*"] @@ -21,7 +19,13 @@ references = ["https://github.com/FalconForceTeam/SOAPHound"] risk_score = 47 rule_id = "9c951837-7d13-4b0c-be7a-f346623c8795" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -41,15 +45,17 @@ sequence by process.entity_id with maxspan=3m network.direction == "egress" and network.transport == "tcp" and not cidrmatch(destination.ip, "127.0.0.0/8", "::1/128")] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index ed54cb9a0..0d0a328cd 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ leveraged by threat actors to perform post-exploitation Active Directory reconna observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "AdFind Command Activity" @@ -72,7 +76,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -91,6 +103,11 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" @@ -121,10 +138,6 @@ id = "T1482" name = "Domain Trust Discovery" reference = "https://attack.mitre.org/techniques/T1482/" -[[rule.threat.technique]] -id = "T1016" -name = "System Network Configuration Discovery" -reference = "https://attack.mitre.org/techniques/T1016/" [rule.threat.tactic] id = "TA0007" diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index f43b5d0ca..601a38f93 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies instances of lower privilege accounts enumerating Administrator accou tools. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Enumeration of Administrator Accounts" @@ -60,14 +64,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -90,14 +95,13 @@ process where host.os.type == "windows" and event.type == "start" and ) and not user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" - [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" @@ -108,11 +112,11 @@ id = "T1069.002" name = "Domain Groups" reference = "https://attack.mitre.org/techniques/T1069/002/" + [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" - [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" @@ -123,7 +127,10 @@ id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" + + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/windows/discovery_command_system_account.toml b/rules/windows/discovery_command_system_account.toml index 373ff4fb1..24ebab839 100644 --- a/rules/windows/discovery_command_system_account.toml +++ b/rules/windows/discovery_command_system_account.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -57,7 +55,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -86,7 +93,6 @@ reference = "https://attack.mitre.org/techniques/T1033/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml index 65c9545d4..27c8db811 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/27" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -17,7 +15,13 @@ false_positives = [ "Domain administrators may use this command-line utility for legitimate information gathering purposes.", ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Enumerating Domain Trusts via DSQUERY.EXE" @@ -59,7 +63,15 @@ references = [ risk_score = 21 rule_id = "06a7a03c-c735-47a6-a313-51c354aef6c3" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -73,14 +85,16 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1482" -name = "Domain Trust Discovery" -reference = "https://attack.mitre.org/techniques/T1482/" -[[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" +[[rule.threat.technique]] +id = "T1482" +name = "Domain Trust Discovery" +reference = "https://attack.mitre.org/techniques/T1482/" + + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml index 34783cece..2417a773e 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -2,9 +2,7 @@ creation_date = "2022/05/31" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,7 +18,13 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Enumerating Domain Trusts via NLTEST.EXE" @@ -62,14 +66,15 @@ references = [ risk_score = 21 rule_id = "84da2554-e12a-11ec-b896-f661ea17fbcd" severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -84,20 +89,22 @@ not process.parent.name : "PDQInventoryScanner.exe" and not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") ''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1018" +name = "Remote System Discovery" +reference = "https://attack.mitre.org/techniques/T1018/" [[rule.threat.technique]] id = "T1482" name = "Domain Trust Discovery" reference = "https://attack.mitre.org/techniques/T1482/" -[[rule.threat.technique]] -id = "T1018" -name = "Remote System Discovery" -reference = "https://attack.mitre.org/techniques/T1018/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/windows/discovery_group_policy_object_discovery.toml b/rules/windows/discovery_group_policy_object_discovery.toml index 7baf49bd1..e67adb376 100644 --- a/rules/windows/discovery_group_policy_object_discovery.toml +++ b/rules/windows/discovery_group_policy_object_discovery.toml @@ -2,20 +2,23 @@ creation_date = "2023/01/18" integration = ["windows", "endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" - +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Detects the usage of gpresult.exe to query group policy objects. Attackers may query group policy -objects during the reconnaissance phase after compromising a system to gain a better understanding -of the active directory environment and possible methods to escalate privileges or move laterally. +Detects the usage of gpresult.exe to query group policy objects. Attackers may query group policy objects during the +reconnaissance phase after compromising a system to gain a better understanding of the active directory environment and +possible methods to escalate privileges or move laterally. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Group Policy Discovery via Microsoft GPResult Utility" @@ -55,7 +58,14 @@ The detection rule 'Group Policy Discovery via Microsoft GPResult Utility' is de risk_score = 21 rule_id = "94a401ba-4fa2-455c-b7ae-b6e037afc0b7" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -64,6 +74,7 @@ process where host.os.type == "windows" and event.type == "start" and (process.name: "gpresult.exe" or ?process.pe.original_file_name == "gprslt.exe") and process.args: ("/z", "/v", "/r", "/x") ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -71,7 +82,9 @@ id = "T1615" name = "Group Policy Discovery" reference = "https://attack.mitre.org/techniques/T1615/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/windows/discovery_high_number_ad_properties.toml b/rules/windows/discovery_high_number_ad_properties.toml index 85a3f5255..e8bd71550 100644 --- a/rules/windows/discovery_high_number_ad_properties.toml +++ b/rules/windows/discovery_high_number_ad_properties.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/29" integration = ["windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -19,8 +17,7 @@ license = "Elastic License v2" name = "Suspicious Access to LDAP Attributes" risk_score = 73 rule_id = "68ad737b-f90a-4fe5-bda6-a68fa460044e" -setup = """ -The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). +setup = """The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: Computer Configuration > diff --git a/rules/windows/discovery_peripheral_device.toml b/rules/windows/discovery_peripheral_device.toml index 4bd545398..03a18f7de 100644 --- a/rules/windows/discovery_peripheral_device.toml +++ b/rules/windows/discovery_peripheral_device.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/02" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies use of the Windows file system utility (fsutil.exe) to gather informa and components connected to a computer system. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Peripheral Device Discovery" @@ -57,7 +61,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_posh_invoke_sharefinder.toml b/rules/windows/discovery_posh_invoke_sharefinder.toml index 3c2b0f7cf..717838974 100644 --- a/rules/windows/discovery_posh_invoke_sharefinder.toml +++ b/rules/windows/discovery_posh_invoke_sharefinder.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/17" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -77,7 +75,16 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Collection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" @@ -132,15 +139,14 @@ reference = "https://attack.mitre.org/techniques/T1106/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1039" name = "Data from Network Shared Drive" reference = "https://attack.mitre.org/techniques/T1039/" + [rule.threat.tactic] id = "TA0009" name = "Collection" diff --git a/rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml b/rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml index f6108af2a..6c49a4331 100644 --- a/rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml +++ b/rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml @@ -1,9 +1,7 @@ [metadata] creation_date = "2023/09/22" maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2023/09/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -19,14 +17,16 @@ name = "Unusual Discovery Signal Alert with Unusual Process Command Line" risk_score = 21 rule_id = "29ef5686-9b93-433e-91b5-683911094698" severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: Higher-Order Rule" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: Higher-Order Rule", +] timestamp_override = "event.ingested" type = "new_terms" + query = ''' host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:( "d68e95ad-1c82-4074-a12a-125fe10ac8ba" or "7b8bfc26-81d2-435e-965c-d722ee397ef1" or @@ -36,6 +36,7 @@ host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" @@ -47,7 +48,8 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.id", "process.command_line"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml b/rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml index 6da4d484d..b39b57e19 100644 --- a/rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml +++ b/rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml @@ -1,9 +1,7 @@ [metadata] creation_date = "2023/09/22" maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2023/11/13" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -19,18 +17,21 @@ name = "Unusual Discovery Signal Alert with Unusual Process Executable" risk_score = 21 rule_id = "72ed9140-fe9d-4a34-a026-75b50e484b17" severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: Higher-Order Rule" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: Higher-Order Rule", +] timestamp_override = "event.ingested" type = "new_terms" + query = ''' host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:"1d72d014-e2ab-4707-b056-9b96abe7b511" ''' + [[rule.threat]] framework = "MITRE ATT&CK" @@ -42,7 +43,8 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.id", "process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index 5d6fe0c1f..0df4a75f2 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -66,7 +64,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml index 8dd36feec..0d47ba3a7 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ false_positives = [ "Trusted SolarWinds child processes. Verify process details such as network connections and file writes.", ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Command Execution via SolarWinds Process" @@ -32,7 +36,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Initial Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -55,7 +67,6 @@ framework = "MITRE ATT&CK" id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -67,6 +78,7 @@ name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml index ac3ce9329..aa5459694 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,7 +30,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_com_object_xwizard.toml b/rules/windows/execution_com_object_xwizard.toml index 83546affc..44443946e 100644 --- a/rules/windows/execution_com_object_xwizard.toml +++ b/rules/windows/execution_com_object_xwizard.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ programming interface (API) that enables interaction between software objects or run a COM object created in registry to evade defensive counter measures. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Execution of COM object via Xwizard" @@ -33,7 +37,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml index 0d8848c10..29d7056f1 100644 --- a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -44,7 +43,12 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Command Prompt Network Connection" @@ -106,7 +110,15 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index ae32c9edd..61d4d0576 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [transform] [[transform.osquery]] diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index 07b82ed12..ba9c7d475 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -2,15 +2,19 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Unusual Parent Process for cmd.exe" @@ -25,7 +29,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_command_shell_via_rundll32.toml b/rules/windows/execution_command_shell_via_rundll32.toml index 37d892108..283ae13e8 100644 --- a/rules/windows/execution_command_shell_via_rundll32.toml +++ b/rules/windows/execution_command_shell_via_rundll32.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -26,7 +24,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Credential Access", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -50,6 +58,7 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" @@ -73,8 +82,6 @@ reference = "https://attack.mitre.org/techniques/T1552/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml b/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml index 704e5d260..1fe398d77 100644 --- a/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml +++ b/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,7 +18,14 @@ name = "Delayed Execution via Ping" risk_score = 21 rule_id = "e00b8d49-632f-4dc6-94a5-76153a481915" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] type = "eql" query = ''' @@ -62,88 +67,86 @@ sequence by process.parent.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -name = "Command and Scripting Interpreter" id = "T1059" +name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique.subtechnique]] - name = "Visual Basic" - id = "T1059.005" - reference = "https://attack.mitre.org/techniques/T1059/005/" +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" - [[rule.threat.technique.subtechnique]] - name = "PowerShell" - id = "T1059.001" - reference = "https://attack.mitre.org/techniques/T1059/001/" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1216" +name = "System Script Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1216/" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.003" +name = "CMSTP" +reference = "https://attack.mitre.org/techniques/T1218/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.004" +name = "InstallUtil" +reference = "https://attack.mitre.org/techniques/T1218/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.009" +name = "Regsvcs/Regasm" +reference = "https://attack.mitre.org/techniques/T1218/009/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + + +[[rule.threat.technique]] +id = "T1220" +name = "XSL Script Processing" +reference = "https://attack.mitre.org/techniques/T1220/" [[rule.threat.technique]] id = "T1497" name = "Virtualization/Sandbox Evasion" reference = "https://attack.mitre.org/techniques/T1497/" +[[rule.threat.technique.subtechnique]] +id = "T1497.003" +name = "Time Based Evasion" +reference = "https://attack.mitre.org/techniques/T1497/003/" - [[rule.threat.technique.subtechnique]] - name = "Time Based Evasion" - id = "T1497.003" - reference = "https://attack.mitre.org/techniques/T1497/003/" - -[[rule.threat.technique]] -name = "System Binary Proxy Execution" -id = "T1218" -reference = "https://attack.mitre.org/techniques/T1218/" - - [[rule.threat.technique.subtechnique]] - name = "CMSTP" - id = "T1218.003" - reference = "https://attack.mitre.org/techniques/T1218/003/" - - [[rule.threat.technique.subtechnique]] - name = "InstallUtil" - id = "T1218.004" - reference = "https://attack.mitre.org/techniques/T1218/004/" - - [[rule.threat.technique.subtechnique]] - name = "Mshta" - id = "T1218.005" - reference = "https://attack.mitre.org/techniques/T1218/005/" - - [[rule.threat.technique.subtechnique]] - name = "Regsvcs/Regasm" - id = "T1218.009" - reference = "https://attack.mitre.org/techniques/T1218/009/" - - [[rule.threat.technique.subtechnique]] - name = "Regsvr32" - id = "T1218.010" - reference = "https://attack.mitre.org/techniques/T1218/010/" - - [[rule.threat.technique.subtechnique]] - name = "Rundll32" - id = "T1218.011" - reference = "https://attack.mitre.org/techniques/T1218/011/" - - [[rule.threat.technique]] - name = "System Script Proxy Execution" - id = "T1216" - reference = "https://attack.mitre.org/techniques/T1216/" - - [[rule.threat.technique]] - name = "XSL Script Processing" - id = "T1220" - reference = "https://attack.mitre.org/techniques/T1220/" [rule.threat.tactic] -name = "Defense Evasion" id = "TA0005" +name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/execution_downloaded_shortcut_files.toml b/rules/windows/execution_downloaded_shortcut_files.toml index 1f765f65c..4475a3d53 100644 --- a/rules/windows/execution_downloaded_shortcut_files.toml +++ b/rules/windows/execution_downloaded_shortcut_files.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,7 +18,13 @@ name = "Downloaded Shortcut Files" risk_score = 21 rule_id = "39157d52-4035-44a8-9d1a-6f8c5f580a07" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_downloaded_url_file.toml b/rules/windows/execution_downloaded_url_file.toml index a5a22b38a..14bb98b6e 100644 --- a/rules/windows/execution_downloaded_url_file.toml +++ b/rules/windows/execution_downloaded_url_file.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,7 +18,14 @@ name = "Downloaded URL Files" risk_score = 21 rule_id = "cd82e3d6-1346-4afd-8f22-38388bbf34cb" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index 9fbea06f8..59c46879a 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies native Windows host and network enumeration commands spawned by the W Provider Service (WMIPrvSE). """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Enumeration Command Spawned via WMIPrvSE" @@ -28,13 +32,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -73,27 +78,41 @@ process where host.os.type == "windows" and event.type == "start" and process.co not process.args : "tenable_mw_scan" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" +[[rule.threat.technique.subtechnique]] +id = "T1016.001" +name = "Internet Connection Discovery" +reference = "https://attack.mitre.org/techniques/T1016/001/" + [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" +[[rule.threat.technique]] +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" + [[rule.threat.technique]] id = "T1087" name = "Account Discovery" @@ -104,22 +123,9 @@ id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" -[[rule.threat.technique]] -id = "T1016" -name = "System Network Configuration Discovery" -reference = "https://attack.mitre.org/techniques/T1016/" - -[[rule.threat.technique.subtechnique]] -id = "T1016.001" -name = "Internet Connection Discovery" -reference = "https://attack.mitre.org/techniques/T1016/001/" - -[[rule.threat.technique]] -id = "T1057" -name = "Process Discovery" -reference = "https://attack.mitre.org/techniques/T1057/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index 00c433705..ad08c31dc 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/30" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -39,7 +37,13 @@ Identifies process execution from suspicious default Windows directories. This m malware in trusted paths. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Execution from Unusual Directory - Command Line" @@ -113,7 +117,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index 569d4f4e1..ee8d103a5 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -39,7 +38,12 @@ malicious code in a CHM file and deliver it to a victim for execution. CHM conte program (hh.exe). """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Network Connection via Compiled HTML File" @@ -108,7 +112,15 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "b29ee2be-bf99-446c-ab1a-2dc0183394b8" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/execution_initial_access_via_msc_file.toml b/rules/windows/execution_initial_access_via_msc_file.toml index 6ca1ac04c..8fe4c6a5b 100644 --- a/rules/windows/execution_initial_access_via_msc_file.toml +++ b/rules/windows/execution_initial_access_via_msc_file.toml @@ -2,15 +2,13 @@ creation_date = "2024/05/12" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/12" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies the execution of a child process from a Microsoft Common Console file. Adversaries may embed a malicious command -in an MSC file in order to trick victims into executing malicious commands. +Identifies the execution of a child process from a Microsoft Common Console file. Adversaries may embed a malicious +command in an MSC file in order to trick victims into executing malicious commands. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"] @@ -45,7 +43,17 @@ references = ["https://www.genians.co.kr/blog/threat_intelligence/facebook"] risk_score = 73 rule_id = "e760c72b-bb1f-44f0-9f0d-37d51744ee75" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Initial Access", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_mofcomp.toml b/rules/windows/execution_mofcomp.toml index d29168632..ec3ebfe1b 100644 --- a/rules/windows/execution_mofcomp.toml +++ b/rules/windows/execution_mofcomp.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -21,7 +19,13 @@ name = "Mofcomp Activity" risk_score = 21 rule_id = "210d4430-b371-470e-b879-80b7182aa75e" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -40,19 +44,19 @@ process where host.os.type == "windows" and event.type == "start" and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -70,3 +74,4 @@ reference = "https://attack.mitre.org/techniques/T1546/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/execution_ms_office_written_file.toml b/rules/windows/execution_ms_office_written_file.toml index 25359d1de..d441f9758 100644 --- a/rules/windows/execution_ms_office_written_file.toml +++ b/rules/windows/execution_ms_office_written_file.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -68,14 +66,15 @@ This rule searches for executable files written by MS Office applications execut risk_score = 73 rule_id = "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5" severity = "high" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] type = "eql" query = ''' @@ -95,6 +94,7 @@ sequence with maxspan=2h ] by host.id, process.executable ''' + [[rule.threat]] framework = "MITRE ATT&CK" @@ -102,15 +102,12 @@ framework = "MITRE ATT&CK" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" - [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" @@ -121,7 +118,10 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/windows/execution_pdf_written_file.toml b/rules/windows/execution_pdf_written_file.toml index bb2bbb41f..55edc986b 100644 --- a/rules/windows/execution_pdf_written_file.toml +++ b/rules/windows/execution_pdf_written_file.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies a suspicious file that was written by a PDF reader application and su often launched via exploitation of PDF applications. """ from = "now-120m" -index = ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"] +index = [ + "logs-endpoint.events.process-*", + "logs-endpoint.events.file-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*", +] interval = "60m" language = "eql" license = "Elastic License v2" @@ -68,7 +72,16 @@ This rule searches for executable files written by PDF reader software and execu risk_score = 73 rule_id = "1defdd62-cd8d-426e-a246-81a37751bb2b" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/execution_posh_hacktool_authors.toml b/rules/windows/execution_posh_hacktool_authors.toml index dc920086f..96685e222 100644 --- a/rules/windows/execution_posh_hacktool_authors.toml +++ b/rules/windows/execution_posh_hacktool_authors.toml @@ -2,9 +2,7 @@ creation_date = "2024/05/08" integration = ["windows"] maturity = "production" -updated_date = "2024/05/08" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -18,6 +16,11 @@ index = ["winlogbeat-*", "logs-windows.powershell*"] language = "kuery" license = "Elastic License v2" name = "Potential PowerShell HackTool Script by Author" +references = [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", +] +risk_score = 73 +rule_id = "2553a9af-52a4-4a05-bb03-85b2a479a0a0" setup = """## Setup The 'PowerShell Script Block Logging' logging policy must be enabled. @@ -36,13 +39,14 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -references = [ - "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", -] -risk_score = 73 -rule_id = "2553a9af-52a4-4a05-bb03-85b2a479a0a0" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/execution_posh_portable_executable.toml b/rules/windows/execution_posh_portable_executable.toml index 45f71e908..579739d59 100644 --- a/rules/windows/execution_posh_portable_executable.toml +++ b/rules/windows/execution_posh_portable_executable.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -125,7 +123,15 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" @@ -154,7 +160,6 @@ reference = "https://attack.mitre.org/techniques/T1059/001/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/execution_psexec_lateral_movement_command.toml b/rules/windows/execution_psexec_lateral_movement_command.toml index b8850975d..4384952db 100644 --- a/rules/windows/execution_psexec_lateral_movement_command.toml +++ b/rules/windows/execution_psexec_lateral_movement_command.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -19,7 +17,12 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "PsExec Network Connection" @@ -58,7 +61,16 @@ This rule identifies PsExec execution by looking for the creation of `PsExec.exe risk_score = 21 rule_id = "55d551c6-333b-4665-ab7e-5d14a59715ce" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' @@ -97,22 +109,22 @@ name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" + [[rule.threat.technique]] id = "T1570" name = "Lateral Tool Transfer" reference = "https://attack.mitre.org/techniques/T1570/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index da54d2e10..dc36a88a2 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -44,7 +43,12 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Network Connection via Registration Utility" @@ -105,7 +109,16 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "fb02b8d3-71ee-4af1-bacd-215d23f17efa" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' @@ -139,7 +152,6 @@ framework = "MITRE ATT&CK" id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [[rule.threat.technique.subtechnique]] id = "T1218.009" name = "Regsvcs/Regasm" diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index e7a2ccfbb..afa9ece3f 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,12 @@ within a short time period. This may indicate lateral movement or remote discove """ false_positives = ["Legitimate scheduled tasks may be created during installation of new software."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.library-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.library-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Outbound Scheduled Task Activity via PowerShell" @@ -25,13 +28,13 @@ risk_score = 47 rule_id = "5cd55388-a19c-47c7-8ec4-f41656c2fded" severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon" - ] + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' @@ -41,30 +44,32 @@ sequence by host.id, process.entity_id with maxspan = 5s [network where host.os.type == "windows" and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and destination.port == 135 and not destination.address in ("127.0.0.1", "::1")] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml index b43dece27..b5b97384f 100644 --- a/rules/windows/execution_shared_modules_local_sxs_dll.toml +++ b/rules/windows/execution_shared_modules_local_sxs_dll.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/28" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -34,7 +32,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index 33c1f0309..b2aa9aee9 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies suspicious command execution (cmd) via Windows Management Instrumenta be indicative of adversary lateral movement. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Suspicious Cmd Execution via WMI" @@ -28,7 +32,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -46,17 +57,17 @@ id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml index e29aa19bf..9a1dba523 100644 --- a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml +++ b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/17" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,7 +30,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index d77be8a3b..253e8841b 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/30" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies suspicious child processes of PDF reader applications. These child pr exploitation of PDF applications or social engineering. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Suspicious PDF Reader Child Process" @@ -76,7 +80,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Initial Access", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -109,7 +122,6 @@ reference = "https://attack.mitre.org/techniques/T1203/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -121,6 +133,8 @@ id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml index 223ec981b..04bf6f51e 100644 --- a/rules/windows/execution_suspicious_powershell_imgload.toml +++ b/rules/windows/execution_suspicious_powershell_imgload.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/17" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/04/01" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -63,13 +61,14 @@ Attackers can use PowerShell without having to execute `PowerShell.exe` directly risk_score = 47 rule_id = "852c1f19-68e8-43a6-9dce-340771fe1be3" severity = "medium" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" @@ -93,19 +92,20 @@ host.os.type:windows and event.category:library and ) and not process.executable.caseless : "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -114,7 +114,8 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "user.id"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index 61e6eab2b..8a48048d3 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -59,16 +57,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -77,24 +76,24 @@ process where host.os.type == "windows" and event.type == "start" and process.pe.original_file_name : "psexesvc.exe" and not process.name : "PSEXESVC.exe" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1569" name = "System Services" reference = "https://attack.mitre.org/techniques/T1569/" - [[rule.threat.technique.subtechnique]] id = "T1569.002" name = "Service Execution" reference = "https://attack.mitre.org/techniques/T1569/002/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index 22b16f8f1..0d012b1de 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -47,7 +45,13 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Process Activity via Compiled HTML File" @@ -119,7 +123,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index 16e42c765..7398ebd3c 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -79,7 +77,18 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -107,7 +116,6 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -120,7 +128,6 @@ reference = "https://attack.mitre.org/techniques/T1036/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/exfiltration_smb_rare_destination.toml b/rules/windows/exfiltration_smb_rare_destination.toml index 019b7b033..4a6fd86e8 100644 --- a/rules/windows/exfiltration_smb_rare_destination.toml +++ b/rules/windows/exfiltration_smb_rare_destination.toml @@ -2,15 +2,13 @@ creation_date = "2023/12/04" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" - +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule detects rare internet network connections via the SMB protocol. SMB is commonly used to leak NTLM credentials via rogue UNC path injection. +This rule detects rare internet network connections via the SMB protocol. SMB is commonly used to leak NTLM credentials +via rogue UNC path injection. """ from = "now-9m" index = ["logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"] @@ -21,7 +19,15 @@ references = ["https://www.securify.nl/en/blog/living-off-the-land-stealing-netn risk_score = 47 rule_id = "f580bf0a-2d23-43bb-b8e1-17548bb947ec" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Exfiltration", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "new_terms" @@ -64,7 +70,6 @@ event.category:network and host.os.type:windows and process.pid:4 and ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -78,12 +83,11 @@ id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - - - [rule.new_terms] field = "new_terms_fields" value = ["destination.ip"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" + + diff --git a/rules/windows/impact_backup_file_deletion.toml b/rules/windows/impact_backup_file_deletion.toml index ac8c3262b..5d756dbbc 100644 --- a/rules/windows/impact_backup_file_deletion.toml +++ b/rules/windows/impact_backup_file_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/01" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -71,7 +69,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -109,15 +115,16 @@ file where host.os.type == "windows" and event.type == "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" -[[rule.threat.technique]] -id = "T1485" -name = "Data Destruction" -reference = "https://attack.mitre.org/techniques/T1485/" [rule.threat.tactic] id = "TA0040" diff --git a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml index afcc562e9..e588e0625 100644 --- a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and o system recovery. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Deleting Backup Catalogs with Wbadmin" @@ -67,7 +71,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -80,16 +92,16 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1490" -name = "Inhibit System Recovery" -reference = "https://attack.mitre.org/techniques/T1490/" - [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique]] +id = "T1490" +name = "Inhibit System Recovery" +reference = "https://attack.mitre.org/techniques/T1490/" + [rule.threat.tactic] id = "TA0040" diff --git a/rules/windows/impact_high_freq_file_renames_by_kernel.toml b/rules/windows/impact_high_freq_file_renames_by_kernel.toml index dc9b0e143..f03d9bf2a 100644 --- a/rules/windows/impact_high_freq_file_renames_by_kernel.toml +++ b/rules/windows/impact_high_freq_file_renames_by_kernel.toml @@ -2,9 +2,7 @@ creation_date = "2024/05/03" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/03" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -57,9 +55,16 @@ references = ["https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomwa risk_score = 73 rule_id = "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend"] -type = "threshold" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" +type = "threshold" query = ''' event.category:file and host.os.type:windows and process.pid:4 and event.action:creation and @@ -74,11 +79,11 @@ id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -90,6 +95,8 @@ id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/impact_modification_of_boot_config.toml b/rules/windows/impact_modification_of_boot_config.toml index cd48ff5c4..a9398ce6b 100644 --- a/rules/windows/impact_modification_of_boot_config.toml +++ b/rules/windows/impact_modification_of_boot_config.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/16" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies use of bcdedit.exe to delete boot configuration data. This tactic is attacker as a destructive technique. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Modification of Boot Configuration" @@ -67,7 +71,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/impact_ransomware_file_rename_smb.toml b/rules/windows/impact_ransomware_file_rename_smb.toml index 6b9573fa2..40e79f39b 100644 --- a/rules/windows/impact_ransomware_file_rename_smb.toml +++ b/rules/windows/impact_ransomware_file_rename_smb.toml @@ -2,15 +2,13 @@ creation_date = "2024/05/02" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies an incoming SMB connection followed by a suspicious file rename operation. This may indicate a remote ransomware -attack via the SMB protocol. +Identifies an incoming SMB connection followed by a suspicious file rename operation. This may indicate a remote +ransomware attack via the SMB protocol. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -57,7 +55,14 @@ references = ["https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomwa risk_score = 73 rule_id = "78e9b5d5-7c07-40a7-a591-3dbbf464c386" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -76,22 +81,21 @@ sequence by host.id with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1490" -name = "Inhibit System Recovery" -reference = "https://attack.mitre.org/techniques/T1490/" - [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique]] +id = "T1490" +name = "Inhibit System Recovery" +reference = "https://attack.mitre.org/techniques/T1490/" + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -104,7 +108,9 @@ name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/impact_ransomware_note_file_over_smb.toml b/rules/windows/impact_ransomware_note_file_over_smb.toml index 2427e4a92..275961dce 100644 --- a/rules/windows/impact_ransomware_note_file_over_smb.toml +++ b/rules/windows/impact_ransomware_note_file_over_smb.toml @@ -2,9 +2,7 @@ creation_date = "2024/05/02" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -57,7 +55,14 @@ note = """## Triage and analysis risk_score = 73 rule_id = "02bab13d-fb14-4d7c-b6fe-4a28874d37c5" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -75,22 +80,21 @@ sequence by host.id with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1490" -name = "Inhibit System Recovery" -reference = "https://attack.mitre.org/techniques/T1490/" - [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique]] +id = "T1490" +name = "Inhibit System Recovery" +reference = "https://attack.mitre.org/techniques/T1490/" + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -108,3 +112,4 @@ reference = "https://attack.mitre.org/techniques/T1021/002/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/impact_stop_process_service_threshold.toml b/rules/windows/impact_stop_process_service_threshold.toml index 4c7e219f9..f3b2a9e9f 100644 --- a/rules/windows/impact_stop_process_service_threshold.toml +++ b/rules/windows/impact_stop_process_service_threshold.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/03" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ This rule identifies a high number (10) of process terminations (stop, delete, o short time period. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "kuery" license = "Elastic License v2" name = "High Number of Process and/or Service Terminations" @@ -52,9 +56,17 @@ references = ["https://www.elastic.co/security-labs/luna-ransomware-attack-patte risk_score = 47 rule_id = "035889c4-2686-4583-a7df-67f89c292f2c" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] -type = "threshold" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" +type = "threshold" query = ''' event.category:process and host.os.type:windows and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and diff --git a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml index 8cba18227..c55fe69b9 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints ransomware or other destructive attacks. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Volume Shadow Copy Deleted or Resized via VssAdmin" @@ -85,7 +89,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -108,3 +120,4 @@ reference = "https://attack.mitre.org/techniques/T1490/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml index 8fff537f8..8ca781d1d 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/19" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] @@ -13,7 +11,13 @@ Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve occurs in tandem with ransomware or other destructive attacks. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Volume Shadow Copy Deletion via PowerShell" @@ -89,7 +93,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -114,7 +127,6 @@ reference = "https://attack.mitre.org/techniques/T1490/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml index 737be0b3d..8cffe4dd6 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly other destructive attacks. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Volume Shadow Copy Deletion via WMIC" @@ -85,7 +89,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -108,16 +121,14 @@ reference = "https://attack.mitre.org/techniques/T1490/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml index a3ebf3b31..0c6d5e6f5 100644 --- a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml +++ b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml @@ -2,9 +2,7 @@ creation_date = "2022/07/03" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -28,7 +26,13 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Data Source: Elastic Defend", +] type = "eql" query = ''' diff --git a/rules/windows/initial_access_execution_from_inetcache.toml b/rules/windows/initial_access_execution_from_inetcache.toml index 4c55b5c6d..6d6d1b232 100644 --- a/rules/windows/initial_access_execution_from_inetcache.toml +++ b/rules/windows/initial_access_execution_from_inetcache.toml @@ -2,9 +2,7 @@ creation_date = "2024/02/14" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,17 +11,31 @@ Identifies the execution of a process with arguments pointing to the INetCache F content via WININET during initial access. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Suspicious Execution from INET Cache" references = [ -"https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html" + "https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html", ] risk_score = 73 rule_id = "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Command and Control", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -47,12 +59,11 @@ name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -65,3 +76,4 @@ reference = "https://attack.mitre.org/techniques/T1105/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/windows/initial_access_execution_from_removable_media.toml b/rules/windows/initial_access_execution_from_removable_media.toml index fd95d0db4..495c84b76 100644 --- a/rules/windows/initial_access_execution_from_removable_media.toml +++ b/rules/windows/initial_access_execution_from_removable_media.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -21,7 +19,13 @@ name = "Execution from a Removable Media with Network Connection" risk_score = 21 rule_id = "1542fa53-955e-4330-8e4d-b2d812adeb5f" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Data Source: Elastic Defend", +] type = "eql" query = ''' @@ -36,6 +40,7 @@ sequence by process.entity_id with maxspan=5m [network where host.os.type == "windows" and event.action == "connection_attempted"] ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -43,7 +48,9 @@ id = "T1091" name = "Replication Through Removable Media" reference = "https://attack.mitre.org/techniques/T1091/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/windows/initial_access_execution_remote_via_msiexec.toml b/rules/windows/initial_access_execution_remote_via_msiexec.toml index e8e45cc7b..054e39cfd 100644 --- a/rules/windows/initial_access_execution_remote_via_msiexec.toml +++ b/rules/windows/initial_access_execution_remote_via_msiexec.toml @@ -2,15 +2,13 @@ creation_date = "2023/09/28" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies the execution of the built-in Windows Installer, msiexec.exe, to install a remote package. Adversaries may abuse -msiexec.exe to launch local or network accessible MSI files. +Identifies the execution of the built-in Windows Installer, msiexec.exe, to install a remote package. Adversaries may +abuse msiexec.exe to launch local or network accessible MSI files. """ from = "now-9m" index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*"] @@ -20,7 +18,14 @@ name = "Potential Remote File Execution via MSIEXEC" risk_score = 21 rule_id = "3e441bdb-596c-44fd-8628-2cfdf4516ada" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] type = "eql" query = ''' @@ -57,6 +62,7 @@ sequence with maxspan=1m ] by process.parent.entity_id ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -68,11 +74,12 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -90,3 +97,4 @@ reference = "https://attack.mitre.org/techniques/T1218/007/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/initial_access_execution_via_office_addins.toml b/rules/windows/initial_access_execution_via_office_addins.toml index 7c44a71a9..fd670734d 100644 --- a/rules/windows/initial_access_execution_via_office_addins.toml +++ b/rules/windows/initial_access_execution_via_office_addins.toml @@ -2,16 +2,13 @@ creation_date = "2023/03/20" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or -with an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing -MS Office Add-In. +Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or with +an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing MS Office Add-In. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"] @@ -19,13 +16,22 @@ language = "eql" license = "Elastic License v2" name = "Suspicious Execution via Microsoft Office Add-Ins" references = [ -"https://github.com/Octoberfest7/XLL_Phishing", -"https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/" + "https://github.com/Octoberfest7/XLL_Phishing", + "https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/", ] risk_score = 47 rule_id = "ae8a142c-6a1d-4918-bea7-0b617e99ecfa" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -90,9 +96,6 @@ reference = "https://attack.mitre.org/techniques/T1566/001/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -103,8 +106,11 @@ reference = "https://attack.mitre.org/techniques/T1137/" id = "T1137.006" name = "Add-ins" reference = "https://attack.mitre.org/techniques/T1137/006/" - + + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml b/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml index 52aa662a8..6d2f0b2e5 100644 --- a/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml +++ b/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml @@ -2,9 +2,7 @@ creation_date = "2023/03/16" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" -min_stack_version = "8.4.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -17,14 +15,23 @@ index = ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon language = "kuery" license = "Elastic License v2" name = "First Time Seen Removable Device" +references = [ + "https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html", + "https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings", +] risk_score = 21 rule_id = "0859355c-0f08-4b43-8ff5-7d2a4789fc08" severity = "low" -references = [ -"https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html", -"https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Exfiltration", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", ] -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "new_terms" @@ -40,23 +47,22 @@ id = "T1091" name = "Replication Through Removable Media" reference = "https://attack.mitre.org/techniques/T1091/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1052" name = "Exfiltration Over Physical Medium" reference = "https://attack.mitre.org/techniques/T1052/" +[[rule.threat.technique.subtechnique]] +id = "T1052.001" +name = "Exfiltration over USB" +reference = "https://attack.mitre.org/techniques/T1052/001/" - [[rule.threat.technique.subtechnique]] - id = "T1052.001" - name = "Exfiltration over USB" - reference = "https://attack.mitre.org/techniques/T1052/001/" [rule.threat.tactic] @@ -64,10 +70,11 @@ id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - [rule.new_terms] field = "new_terms_fields" value = ["registry.path"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" + + diff --git a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml index d721eef4d..60d4797b8 100644 --- a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml +++ b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml @@ -2,9 +2,7 @@ creation_date = "2024/03/24" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -19,17 +17,31 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Suspicious JetBrains TeamCity Child Process" references = [ - "https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html" + "https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html", ] risk_score = 47 rule_id = "730ed57d-ae0f-444f-af50-78708b57edd5" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -65,8 +77,6 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -77,13 +87,16 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index c1cf05089..54732f29f 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -78,7 +76,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -110,8 +118,6 @@ reference = "https://attack.mitre.org/techniques/T1566/001/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -122,6 +128,7 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" diff --git a/rules/windows/initial_access_scripts_process_started_via_wmi.toml b/rules/windows/initial_access_scripts_process_started_via_wmi.toml index 578905ab6..c9c97d1bc 100644 --- a/rules/windows/initial_access_scripts_process_started_via_wmi.toml +++ b/rules/windows/initial_access_scripts_process_started_via_wmi.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/27" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,14 +11,29 @@ Identifies use of the built-in Windows script interpreters (cscript.exe or wscri via Windows Management Instrumentation (WMI). This may be indicative of malicious activity. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "endgame-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.library-*", + "logs-windows.sysmon_operational-*", + "endgame-*", +] language = "eql" license = "Elastic License v2" name = "Windows Script Interpreter Executing Process via WMI" risk_score = 47 rule_id = "b64b183e-1a76-422d-9179-7b389513e74d" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' @@ -73,10 +86,13 @@ reference = "https://attack.mitre.org/techniques/T1566/001/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -86,10 +102,6 @@ id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" -[[rule.threat.technique]] -id = "T1047" -name = "Windows Management Instrumentation" -reference = "https://attack.mitre.org/techniques/T1047/" [rule.threat.tactic] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_files.toml b/rules/windows/initial_access_suspicious_ms_exchange_files.toml index 9e1d6e88d..c82c46e2f 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_files.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_files.toml @@ -2,9 +2,7 @@ creation_date = "2021/03/04" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] @@ -51,7 +49,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -85,8 +93,6 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_process.toml index 559342a05..17f88e2e4 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_process.toml @@ -2,9 +2,7 @@ creation_date = "2021/03/04" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] @@ -19,7 +17,13 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Microsoft Exchange Server UM Spawning Suspicious Processes" @@ -38,7 +42,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -70,7 +83,6 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml index 2b7e956e3..ada3c4421 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml @@ -2,9 +2,7 @@ creation_date = "2021/03/08" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -33,7 +31,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -57,7 +64,6 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -68,12 +74,14 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index 3552617eb..90ea17b54 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ These child processes are often launched during exploitation of Office applicati macros. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Suspicious MS Office Child Process" @@ -77,7 +81,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -145,7 +159,6 @@ reference = "https://attack.mitre.org/techniques/T1059/003/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -154,7 +167,6 @@ name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index f3e9a2167..34f4c925c 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,14 @@ Identifies suspicious child processes of Microsoft Outlook. These child processe phishing activity. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Suspicious MS Outlook Child Process" @@ -75,7 +80,18 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", +] timestamp_override = "event.ingested" type = "eql" @@ -110,7 +126,6 @@ reference = "https://attack.mitre.org/techniques/T1566/001/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -133,7 +148,6 @@ reference = "https://attack.mitre.org/techniques/T1059/003/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -142,7 +156,6 @@ name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml index 1bf889fb9..8fb53b5a5 100644 --- a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml +++ b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/29" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -28,7 +26,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -71,7 +79,6 @@ reference = "https://attack.mitre.org/techniques/T1566/002/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -87,6 +94,7 @@ reference = "https://attack.mitre.org/techniques/T1059/001/" id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" + [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" @@ -98,7 +106,6 @@ reference = "https://attack.mitre.org/techniques/T1059/005/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -107,7 +114,6 @@ name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/initial_access_webshell_screenconnect_server.toml b/rules/windows/initial_access_webshell_screenconnect_server.toml index 507f47c25..e4fe726f8 100644 --- a/rules/windows/initial_access_webshell_screenconnect_server.toml +++ b/rules/windows/initial_access_webshell_screenconnect_server.toml @@ -2,18 +2,22 @@ creation_date = "2024/03/26" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies suspicious processes being spawned by the ScreenConnect server process (ScreenConnect.Service.exe). This activity may -indicate exploitation activity or access to an existing web shell backdoor. +Identifies suspicious processes being spawned by the ScreenConnect server process (ScreenConnect.Service.exe). This +activity may indicate exploitation activity or access to an existing web shell backdoor. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "logs-system.security*", + "endgame-*", +] language = "eql" license = "Elastic License v2" name = "ScreenConnect Server Spawning Suspicious Processes" @@ -21,7 +25,16 @@ references = ["https://blackpointcyber.com/resources/blog/breaking-through-the-s risk_score = 73 rule_id = "3d00feab-e203-4acc-a463-c3e15b7e9a73" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -45,7 +58,6 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -56,12 +68,14 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/initial_access_xsl_script_execution_via_com.toml b/rules/windows/initial_access_xsl_script_execution_via_com.toml index e757c7ffb..4b35a4ed9 100644 --- a/rules/windows/initial_access_xsl_script_execution_via_com.toml +++ b/rules/windows/initial_access_xsl_script_execution_via_com.toml @@ -2,14 +2,12 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies the execution of a hosted XSL script using the Microsoft.XMLDOM COM interface via Microsoft Office processes. +Identifies the execution of a hosted XSL script using the Microsoft.XMLDOM COM interface via Microsoft Office processes. This behavior may indicate adversarial activity to execute malicious JScript or VBScript on the system. """ from = "now-9m" @@ -20,7 +18,14 @@ name = "Remote XSL Script Execution via COM" risk_score = 21 rule_id = "48f657ee-de4f-477c-aa99-ed88ee7af97a" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] type = "eql" query = ''' @@ -38,6 +43,7 @@ sequence with maxspan=1m "?:\\Program Files (x86)\\*exe")] by process.parent.entity_id ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -55,7 +61,6 @@ reference = "https://attack.mitre.org/techniques/T1566/002/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -68,3 +73,4 @@ reference = "https://attack.mitre.org/techniques/T1220/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/lateral_movement_alternate_creds_pth.toml b/rules/windows/lateral_movement_alternate_creds_pth.toml index 2e4d081e5..e2460af09 100644 --- a/rules/windows/lateral_movement_alternate_creds_pth.toml +++ b/rules/windows/lateral_movement_alternate_creds_pth.toml @@ -2,16 +2,14 @@ creation_date = "2023/03/29" integration = ["windows", "system"] maturity = "production" -min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" -min_stack_version = "8.4.0" -updated_date = "2024/01/16" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Adversaries may pass the hash using stolen password hashes to move laterally within an environment, -bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user -without having access to the user's cleartext password. +Adversaries may pass the hash using stolen password hashes to move laterally within an environment, bypassing normal +system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's +cleartext password. """ from = "now-9m" index = ["winlogbeat-*", "logs-windows.*", "logs-system.security*"] @@ -52,11 +50,11 @@ id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - [rule.new_terms] field = "new_terms_fields" value = ["user.id"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" + + diff --git a/rules/windows/lateral_movement_cmd_service.toml b/rules/windows/lateral_movement_cmd_service.toml index 1ac54fbac..191930a7c 100644 --- a/rules/windows/lateral_movement_cmd_service.toml +++ b/rules/windows/lateral_movement_cmd_service.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,14 +11,26 @@ Identifies use of sc.exe to create, modify, or start services on remote hosts. T lateral movement but will be noisy if commonly done by admins. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] +index = [ + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Service Command Lateral Movement" risk_score = 21 rule_id = "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_dcom_hta.toml b/rules/windows/lateral_movement_dcom_hta.toml index 2fbca0f11..428f9abd7 100644 --- a/rules/windows/lateral_movement_dcom_hta.toml +++ b/rules/windows/lateral_movement_dcom_hta.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,12 @@ launched via the HTA Application COM Object. This behavior may indicate an attac laterally while attempting to evade detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Incoming DCOM Lateral Movement via MSHTA" @@ -22,7 +25,14 @@ references = ["https://codewhitesec.blogspot.com/2018/07/lethalhta.html"] risk_score = 73 rule_id = "622ecb68-fa81-4601-90b5-f8cd661e4520" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_dcom_mmc20.toml b/rules/windows/lateral_movement_dcom_mmc20.toml index 96af58d40..472b5eaa4 100644 --- a/rules/windows/lateral_movement_dcom_mmc20.toml +++ b/rules/windows/lateral_movement_dcom_mmc20.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/06" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,12 @@ via the MMC20 Application COM Object. This behavior may indicate an attacker abu laterally. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Incoming DCOM Lateral Movement with MMC" @@ -22,7 +25,15 @@ references = ["https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20 risk_score = 73 rule_id = "51ce96fb-9e52-4dad-b0ba-99b54440fc9a" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' @@ -53,20 +64,19 @@ reference = "https://attack.mitre.org/techniques/T1021/003/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [[rule.threat.technique.subtechnique]] id = "T1218.014" name = "MMC" reference = "https://attack.mitre.org/techniques/T1218/014/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml index b6dca9f73..b2a95628a 100644 --- a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml +++ b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/06" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,12 @@ the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may application to stealthily move laterally. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows" @@ -22,7 +25,14 @@ references = ["https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round- risk_score = 47 rule_id = "8f919d4b-a5af-47ca-a594-6be59cd924a4" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml index e05a7b2c0..43a994b5e 100644 --- a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml +++ b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml @@ -2,9 +2,7 @@ creation_date = "2021/03/22" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -24,7 +22,16 @@ references = [ risk_score = 47 rule_id = "ddab1f5f-7089-44f5-9fda-de5b11322e77" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -54,7 +61,6 @@ reference = "https://attack.mitre.org/techniques/T1021/002/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -62,6 +68,7 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml index 1ff1b29f6..3cdaefdf9 100644 --- a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml +++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -97,7 +95,14 @@ This rule looks for unexpected processes making network connections over port 44 risk_score = 47 rule_id = "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml index d2abebdb9..0ef61678a 100644 --- a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml +++ b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml @@ -2,9 +2,7 @@ creation_date = "2021/04/12" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ indicative of an active RDP shadowing session. An adversary may abuse the RDP Sh other users active RDP sessions. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"] +index = [ + "logs-endpoint.events.process-*", + "logs-endpoint.events.registry-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*", +] language = "eql" license = "Elastic License v2" name = "Potential Remote Desktop Shadowing Activity" @@ -33,7 +37,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -63,12 +75,13 @@ framework = "MITRE ATT&CK" id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [[rule.threat.technique.subtechnique]] id = "T1021.001" name = "Remote Desktop Protocol" reference = "https://attack.mitre.org/techniques/T1021/001/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml index 88d746d28..f9b06fa6f 100644 --- a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml +++ b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/10" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -61,7 +59,14 @@ Adversaries can use network shares to host tooling to support the compromise of risk_score = 47 rule_id = "58bc134c-e8d2-4291-a552-b4b3e537c60b" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml index a49d4b795..7e06777f9 100644 --- a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml +++ b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/11" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint ts indicate a lateral movement attempt. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Execution via TSClient Mountpoint" @@ -29,7 +33,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -44,13 +55,13 @@ framework = "MITRE ATT&CK" id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [[rule.threat.technique.subtechnique]] id = "T1021.001" name = "Remote Desktop Protocol" reference = "https://attack.mitre.org/techniques/T1021/001/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index 03cf02f73..78ee33364 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint"] maturity = "production" -updated_date = "2024/04/08" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -91,11 +89,21 @@ Adversaries can use network shares to host tooling to support the compromise of - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -references = ["http://web.archive.org/web/20230329172636/https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html"] +references = [ + "http://web.archive.org/web/20230329172636/https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html", +] risk_score = 47 rule_id = "ab75c24b-2502-43a0-bf7c-e60e662c811e" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml index 1fc13abf8..2384ec06e 100644 --- a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml +++ b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -19,14 +17,26 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Incoming Execution via WinRM Remote Shell" risk_score = 47 rule_id = "1cd01db9-be24-4bef-8e7c-e923f0ff78ab" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' @@ -50,6 +60,7 @@ name = "Windows Remote Management" reference = "https://attack.mitre.org/techniques/T1021/006/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml index b1ff8aaef..296271162 100644 --- a/rules/windows/lateral_movement_incoming_wmi.toml +++ b/rules/windows/lateral_movement_incoming_wmi.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,14 +11,26 @@ Identifies processes executed via Windows Management Instrumentation (WMI) on a adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] +index = [ + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "WMI Incoming Lateral Movement" risk_score = 47 rule_id = "f3475224-b179-4f78-8877-c2bd64c26b88" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' @@ -51,12 +61,12 @@ sequence by host.id with maxspan = 2s [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml index e1bdd3832..72bacb2d8 100644 --- a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml +++ b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/02" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies the use of net.exe to mount a WebDav or hidden remote share. This may preparation for data exfiltration. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Mounting Hidden or WebDav Remote Shares" @@ -28,7 +32,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -78,7 +90,6 @@ reference = "https://attack.mitre.org/techniques/T1078/003/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -89,11 +100,14 @@ reference = "https://attack.mitre.org/techniques/T1087/" id = "T1087.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1087/001/" + [[rule.threat.technique.subtechnique]] id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" + + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/windows/lateral_movement_powershell_remoting_target.toml b/rules/windows/lateral_movement_powershell_remoting_target.toml index abdb422d0..51b8ffdcf 100644 --- a/rules/windows/lateral_movement_powershell_remoting_target.toml +++ b/rules/windows/lateral_movement_powershell_remoting_target.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -19,7 +17,12 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Incoming Execution via PowerShell Remoting" @@ -29,7 +32,15 @@ references = [ risk_score = 47 rule_id = "2772264c-6fb9-4d9d-9014-b416eed21254" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' @@ -52,11 +63,12 @@ id = "T1021.006" name = "Windows Remote Management" reference = "https://attack.mitre.org/techniques/T1021/006/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -69,6 +81,7 @@ name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/lateral_movement_rdp_enabled_registry.toml b/rules/windows/lateral_movement_rdp_enabled_registry.toml index 2e5acf0e3..c7d277c00 100644 --- a/rules/windows/lateral_movement_rdp_enabled_registry.toml +++ b/rules/windows/lateral_movement_rdp_enabled_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -64,7 +62,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -99,9 +107,6 @@ reference = "https://attack.mitre.org/techniques/T1021/001/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -109,6 +114,7 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/lateral_movement_rdp_sharprdp_target.toml b/rules/windows/lateral_movement_rdp_sharprdp_target.toml index dd56f8c1e..6d75397aa 100644 --- a/rules/windows/lateral_movement_rdp_sharprdp_target.toml +++ b/rules/windows/lateral_movement_rdp_sharprdp_target.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/11" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -24,7 +22,13 @@ references = [ risk_score = 73 rule_id = "8c81e506-6e82-4884-9b9a-75d3d252f967" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", +] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index 2d06b035c..6517803a3 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies a remote file copy attempt to a hidden network share. This may indica activity. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Remote File Copy to a Hidden Share" @@ -28,7 +32,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_remote_service_installed_winlog.toml b/rules/windows/lateral_movement_remote_service_installed_winlog.toml index 7230fa974..a81566037 100644 --- a/rules/windows/lateral_movement_remote_service_installed_winlog.toml +++ b/rules/windows/lateral_movement_remote_service_installed_winlog.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,7 +18,13 @@ name = "Remote Windows Service Installed" risk_score = 47 rule_id = "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Persistence", +] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index aedaa22b5..da85d66e7 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/04/08" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -39,7 +37,12 @@ Identifies remote execution of Windows services over remote procedure call (RPC) movement, but will be noisy if commonly done by administrators. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] +index = [ + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Remotely Started Services via RPC" @@ -103,7 +106,15 @@ references = [ risk_score = 47 rule_id = "aa9a274d-6b53-424d-ac5e-cb8ca4251650" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_remote_task_creation_winlog.toml b/rules/windows/lateral_movement_remote_task_creation_winlog.toml index a82088772..388703c71 100644 --- a/rules/windows/lateral_movement_remote_task_creation_winlog.toml +++ b/rules/windows/lateral_movement_remote_task_creation_winlog.toml @@ -2,15 +2,11 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/01" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = """ -Identifies scheduled task creation from a remote source. This could be indicative of adversary lateral movement. -""" +description = "Identifies scheduled task creation from a remote source. This could be indicative of adversary lateral movement.\n" from = "now-9m" index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"] language = "eql" @@ -49,8 +45,8 @@ risk_score = 47 rule_id = "9c865691-5599-447a-bac9-b3f2df5f9a9d" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"] -type = "eql" timestamp_override = "event.ingested" +type = "eql" query = ''' iam where event.action == "scheduled-task-created" and diff --git a/rules/windows/lateral_movement_scheduled_task_target.toml b/rules/windows/lateral_movement_scheduled_task_target.toml index 3234e9731..875bfd3ab 100644 --- a/rules/windows/lateral_movement_scheduled_task_target.toml +++ b/rules/windows/lateral_movement_scheduled_task_target.toml @@ -2,15 +2,18 @@ creation_date = "2020/11/20" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = "Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement." from = "now-9m" -index = ["logs-endpoint.events.registry-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] +index = [ + "logs-endpoint.events.registry-*", + "logs-endpoint.events.network-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Remote Scheduled Task Creation" @@ -45,7 +48,15 @@ note = """## Triage and analysis risk_score = 47 rule_id = "954ee7c8-5437-49ae-b2d6-2960883898e9" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml index 4bcc98b9f..b68fdf713 100644 --- a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml +++ b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/19" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -29,7 +27,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -65,12 +71,13 @@ framework = "MITRE ATT&CK" id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [[rule.threat.technique.subtechnique]] id = "T1021.001" name = "Remote Desktop Protocol" reference = "https://attack.mitre.org/techniques/T1021/001/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/lateral_movement_unusual_dns_service_children.toml b/rules/windows/lateral_movement_unusual_dns_service_children.toml index a58605b33..31ee07927 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_children.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_children.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/16" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,7 +18,13 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Unusual Child Process of dns.exe" @@ -77,7 +81,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml index 0675a63a9..dea6f0ce6 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/16" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -40,7 +38,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml index 2b52e22a8..650371712 100644 --- a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml +++ b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -29,7 +27,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -50,13 +56,13 @@ framework = "MITRE ATT&CK" id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [[rule.threat.technique.subtechnique]] id = "T1021.001" name = "Remote Desktop Protocol" reference = "https://attack.mitre.org/techniques/T1021/001/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/persistence_ad_adminsdholder.toml b/rules/windows/persistence_ad_adminsdholder.toml index 222a1d54e..98eab1918 100644 --- a/rules/windows/persistence_ad_adminsdholder.toml +++ b/rules/windows/persistence_ad_adminsdholder.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/31" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/09" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -27,7 +25,14 @@ references = [ risk_score = 73 rule_id = "6e9130a5-9be6-48e5-943a-9628bfc74b18" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", +] timestamp_override = "event.ingested" type = "query" @@ -43,17 +48,18 @@ framework = "MITRE ATT&CK" id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [[rule.threat.technique.subtechnique]] id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index 7c944c247..7dce05cfb 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -36,7 +34,13 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu author = ["Elastic"] description = "Detects writing executable files that will be automatically launched by Adobe on launch." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Adobe Hijack Persistence" @@ -101,7 +105,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", +] timestamp_override = "event.ingested" type = "eql" @@ -115,6 +129,11 @@ file where host.os.type == "windows" and event.type == "creation" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1554" +name = "Compromise Client Software Binary" +reference = "https://attack.mitre.org/techniques/T1554/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" @@ -124,11 +143,6 @@ id = "T1574.010" name = "Services File Permissions Weakness" reference = "https://attack.mitre.org/techniques/T1574/010/" -[[rule.threat.technique]] -id = "T1554" -name = "Compromise Client Software Binary" -reference = "https://attack.mitre.org/techniques/T1554/" - [rule.threat.tactic] diff --git a/rules/windows/persistence_app_compat_shim.toml b/rules/windows/persistence_app_compat_shim.toml index 297c90897..d1bf7ee53 100644 --- a/rules/windows/persistence_app_compat_shim.toml +++ b/rules/windows/persistence_app_compat_shim.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,7 +18,14 @@ name = "Installation of Custom Shim Databases" risk_score = 47 rule_id = "c5ce48a6-7f57-4ee8-9313-3d0024caee10" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_appcertdlls_registry.toml b/rules/windows/persistence_appcertdlls_registry.toml index 0313a9910..83d94b2e9 100644 --- a/rules/windows/persistence_appcertdlls_registry.toml +++ b/rules/windows/persistence_appcertdlls_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Detects attempts to maintain persistence by creating registry keys using AppCert process using the common API functions to create processes. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Registry Persistence via AppCert DLL" @@ -28,7 +32,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", +] timestamp_override = "event.ingested" type = "eql" @@ -60,7 +74,6 @@ reference = "https://attack.mitre.org/techniques/T1546/009/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/persistence_appinitdlls_registry.toml b/rules/windows/persistence_appinitdlls_registry.toml index 104d726eb..28fb63edc 100644 --- a/rules/windows/persistence_appinitdlls_registry.toml +++ b/rules/windows/persistence_appinitdlls_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] diff --git a/rules/windows/persistence_browser_extension_install.toml b/rules/windows/persistence_browser_extension_install.toml index 32a8066c7..5510e1a7d 100644 --- a/rules/windows/persistence_browser_extension_install.toml +++ b/rules/windows/persistence_browser_extension_install.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/22" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,7 +18,13 @@ name = "Browser Extension Install" risk_score = 21 rule_id = "f97504ac-1053-498f-aeaa-c6d01e76b379" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -45,6 +49,7 @@ file where host.os.type == "windows" and event.action : "creation" and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -52,7 +57,9 @@ id = "T1176" name = "Browser Extensions" reference = "https://attack.mitre.org/techniques/T1176/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_dontexpirepasswd_account.toml b/rules/windows/persistence_dontexpirepasswd_account.toml index a17685c15..47ca6bb66 100644 --- a/rules/windows/persistence_dontexpirepasswd_account.toml +++ b/rules/windows/persistence_dontexpirepasswd_account.toml @@ -2,9 +2,7 @@ creation_date = "2022/02/22" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -71,7 +69,7 @@ tags = [ "Tactic: Persistence", "Data Source: Active Directory", "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring" + "Use Case: Active Directory Monitoring", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index fc11dc014..f8fc9d5dc 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -60,7 +58,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_evasion_registry_ifeo_injection.toml b/rules/windows/persistence_evasion_registry_ifeo_injection.toml index d9072494d..5488b17de 100644 --- a/rules/windows/persistence_evasion_registry_ifeo_injection.toml +++ b/rules/windows/persistence_evasion_registry_ifeo_injection.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/17" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -23,7 +21,16 @@ references = [ risk_score = 47 rule_id = "6839c821-011d-43bd-bd5b-acff00257226" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -61,9 +68,6 @@ reference = "https://attack.mitre.org/techniques/T1546/012/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -71,6 +75,7 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml index 466f46252..68063c7b4 100644 --- a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml +++ b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml @@ -2,9 +2,7 @@ creation_date = "2021/03/15" integration = ["endpoint"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -98,7 +96,17 @@ Techniques used within malware and by adversaries often leverage the Windows reg risk_score = 73 rule_id = "c8b150f0-0164-475b-a75e-74b47800a9ff" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -144,9 +152,6 @@ reference = "https://attack.mitre.org/techniques/T1547/001/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -154,6 +159,7 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_local_scheduled_job_creation.toml b/rules/windows/persistence_local_scheduled_job_creation.toml index 2a6f2e67c..aee75496d 100644 --- a/rules/windows/persistence_local_scheduled_job_creation.toml +++ b/rules/windows/persistence_local_scheduled_job_creation.toml @@ -2,9 +2,7 @@ creation_date = "2021/03/15" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ task scheduling functionality to facilitate initial or recurring execution of ma """ false_positives = ["Legitimate scheduled jobs may be created during installation of new software."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Persistence via Scheduled Job Creation" @@ -29,7 +33,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_local_scheduled_task_creation.toml b/rules/windows/persistence_local_scheduled_task_creation.toml index 1700e0056..26e1a4dba 100644 --- a/rules/windows/persistence_local_scheduled_task_creation.toml +++ b/rules/windows/persistence_local_scheduled_task_creation.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -25,7 +23,14 @@ references = [ risk_score = 21 rule_id = "afcce5ad-65de-4ed2-8516-5e093d3ac99a" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/persistence_local_scheduled_task_scripting.toml b/rules/windows/persistence_local_scheduled_task_scripting.toml index d553e5e1f..a3f1b4f8e 100644 --- a/rules/windows/persistence_local_scheduled_task_scripting.toml +++ b/rules/windows/persistence_local_scheduled_task_scripting.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/29" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ an adversary to establish persistence. """ false_positives = ["Legitimate scheduled tasks may be created during installation of new software."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "endgame-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-endpoint.events.library-*", + "logs-windows.sysmon_operational-*", + "endgame-*", +] language = "eql" license = "Elastic License v2" name = "Scheduled Task Created by a Windows Script" @@ -24,7 +28,16 @@ Decode the base64 encoded Tasks Actions registry value to investigate the task's risk_score = 47 rule_id = "689b9d57-e4d5-4357-ad17-9c334609d79a" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' @@ -56,7 +69,6 @@ reference = "https://attack.mitre.org/techniques/T1053/005/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/persistence_ms_office_addins_file.toml b/rules/windows/persistence_ms_office_addins_file.toml index f40d7cb52..eccc979af 100644 --- a/rules/windows/persistence_ms_office_addins_file.toml +++ b/rules/windows/persistence_ms_office_addins_file.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/16" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -26,7 +24,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -48,12 +54,13 @@ framework = "MITRE ATT&CK" id = "T1137" name = "Office Application Startup" reference = "https://attack.mitre.org/techniques/T1137/" - [[rule.threat.technique.subtechnique]] id = "T1137.006" name = "Add-ins" reference = "https://attack.mitre.org/techniques/T1137/006/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/persistence_ms_outlook_vba_template.toml b/rules/windows/persistence_ms_outlook_vba_template.toml index 89474f8e5..8d5bf2ff5 100644 --- a/rules/windows/persistence_ms_outlook_vba_template.toml +++ b/rules/windows/persistence_ms_outlook_vba_template.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -30,7 +28,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml index 8d7e3af7c..3efb314e3 100644 --- a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml +++ b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/27" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -40,7 +38,14 @@ Audit User Account Management (Success,Failure) ``` """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/persistence_msoffice_startup_registry.toml b/rules/windows/persistence_msoffice_startup_registry.toml index 79bc50904..f081de1f7 100644 --- a/rules/windows/persistence_msoffice_startup_registry.toml +++ b/rules/windows/persistence_msoffice_startup_registry.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/22" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -24,7 +22,14 @@ references = [ risk_score = 21 rule_id = "14dab405-5dd9-450c-8106-72951af2391f" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -33,6 +38,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and registry.path : "*\\Software\\Microsoft\\Office Test\\Special\\Perf\\*" ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -43,12 +49,13 @@ reference = "https://attack.mitre.org/techniques/T1137/" id = "T1137.002" name = "Office Test" reference = "https://attack.mitre.org/techniques/T1137/002/" - + + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -56,6 +63,7 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_netsh_helper_dll.toml b/rules/windows/persistence_netsh_helper_dll.toml index ef39af451..b7391f7f2 100644 --- a/rules/windows/persistence_netsh_helper_dll.toml +++ b/rules/windows/persistence_netsh_helper_dll.toml @@ -2,16 +2,14 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies the addition of a Netsh Helper DLL, netsh.exe supports the addition of these DLLs to extend its functionality. -Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed, which can be done -by administrators or a scheduled task. +Identifies the addition of a Netsh Helper DLL, netsh.exe supports the addition of these DLLs to extend its +functionality. Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed, +which can be done by administrators or a scheduled task. """ from = "now-9m" index = ["logs-endpoint.events.registry-*", "endgame-*"] @@ -21,7 +19,14 @@ name = "Netsh Helper DLL" risk_score = 21 rule_id = "b0638186-4f12-48ac-83d2-47e686d08e82" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -46,12 +51,11 @@ name = "Netsh Helper DLL" reference = "https://attack.mitre.org/techniques/T1546/007/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -64,3 +68,4 @@ reference = "https://attack.mitre.org/techniques/T1112/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml index e7fbc4f3a..37ab09c27 100644 --- a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml +++ b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ Adversaries may target user email to collect sensitive information. """ false_positives = ["Legitimate exchange system administration activity."] from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "New ActiveSyncAllowedDeviceID Added via PowerShell" @@ -33,7 +37,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -60,7 +72,6 @@ reference = "https://attack.mitre.org/techniques/T1098/002/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/persistence_powershell_profiles.toml b/rules/windows/persistence_powershell_profiles.toml index 04eaf0402..668dc35ed 100644 --- a/rules/windows/persistence_powershell_profiles.toml +++ b/rules/windows/persistence_powershell_profiles.toml @@ -2,9 +2,7 @@ creation_date = "2022/10/13" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -103,7 +102,16 @@ references = [ risk_score = 47 rule_id = "5cf6397e-eb91-4f31-8951-9f0eaa755a31" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -133,7 +141,6 @@ reference = "https://attack.mitre.org/techniques/T1546/013/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index e6088b0d8..857ad7581 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -110,7 +108,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml index 22539edbe..18011a988 100644 --- a/rules/windows/persistence_registry_uncommon.toml +++ b/rules/windows/persistence_registry_uncommon.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -21,7 +19,14 @@ references = ["https://www.microsoftpressstore.com/articles/article.aspx?p=27620 risk_score = 47 rule_id = "54902e45-3467-49a4-8abc-529f2c8cfb80" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timeline_id = "3e47ef71-ebfc-4520-975c-cb27fc090799" timeline_title = "Comprehensive Registry Timeline" timestamp_override = "event.ingested" @@ -93,6 +98,16 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.002" +name = "Screensaver" +reference = "https://attack.mitre.org/techniques/T1546/002/" + + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" @@ -102,14 +117,7 @@ id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" -[[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" -[[rule.threat.technique.subtechnique]] -id = "T1546.002" -name = "Screensaver" -reference = "https://attack.mitre.org/techniques/T1546/002/" + [rule.threat.tactic] id = "TA0003" diff --git a/rules/windows/persistence_remote_password_reset.toml b/rules/windows/persistence_remote_password_reset.toml index 2d616617e..a15ea8909 100644 --- a/rules/windows/persistence_remote_password_reset.toml +++ b/rules/windows/persistence_remote_password_reset.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/18" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/18" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -19,7 +17,6 @@ language = "eql" license = "Elastic License v2" name = "Account Password Reset Remotely" note = """ - ## Performance This rule may cause medium to high performance impact due to logic scoping all remote Windows logon activity. """ @@ -32,7 +29,13 @@ references = [ risk_score = 47 rule_id = "2820c9c2-bcd7-4d6e-9eba-faf3891ba450" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Impact"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Impact", +] type = "eql" query = ''' @@ -68,15 +71,14 @@ reference = "https://attack.mitre.org/techniques/T1098/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1531" name = "Account Access Removal" reference = "https://attack.mitre.org/techniques/T1531/" + [rule.threat.tactic] id = "TA0040" name = "Impact" diff --git a/rules/windows/persistence_run_key_and_startup_broad.toml b/rules/windows/persistence_run_key_and_startup_broad.toml index 7d7ea941d..b03de1503 100644 --- a/rules/windows/persistence_run_key_and_startup_broad.toml +++ b/rules/windows/persistence_run_key_and_startup_broad.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -103,7 +101,15 @@ Adversaries may achieve persistence by referencing a program with a registry run risk_score = 21 rule_id = "97fc44d3-8dae-4019-ae83-298c3015600f" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timeline_id = "3e47ef71-ebfc-4520-975c-cb27fc090799" timeline_title = "Comprehensive Registry Timeline" timestamp_override = "event.ingested" diff --git a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml index 8fc63c139..e4e953843 100644 --- a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml +++ b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/19" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,7 +18,15 @@ name = "Execution of Persistent Suspicious Program" risk_score = 47 rule_id = "e7125cea-9fe1-42a5-9a05-b0792cf86f5a" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/persistence_scheduled_task_creation_winlog.toml b/rules/windows/persistence_scheduled_task_creation_winlog.toml index 18db7189b..ed3a6f2fd 100644 --- a/rules/windows/persistence_scheduled_task_creation_winlog.toml +++ b/rules/windows/persistence_scheduled_task_creation_winlog.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/01/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_scheduled_task_updated.toml b/rules/windows/persistence_scheduled_task_updated.toml index a2b566ef3..dd23a6bc2 100644 --- a/rules/windows/persistence_scheduled_task_updated.toml +++ b/rules/windows/persistence_scheduled_task_updated.toml @@ -2,10 +2,7 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" - +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml index 396217ba5..d5d88fd76 100644 --- a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml +++ b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml @@ -2,9 +2,7 @@ creation_date = "2022/02/24" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -94,7 +92,7 @@ tags = [ "Tactic: Persistence", "Data Source: Active Directory", "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring" + "Use Case: Active Directory Monitoring", ] timestamp_override = "event.ingested" type = "eql" @@ -110,22 +108,22 @@ any where event.action == "Directory Service Changes" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [[rule.threat.technique.subtechnique]] id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/persistence_service_dll_unsigned.toml b/rules/windows/persistence_service_dll_unsigned.toml index d348c770f..4c9bda1fc 100644 --- a/rules/windows/persistence_service_dll_unsigned.toml +++ b/rules/windows/persistence_service_dll_unsigned.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/17" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: dll.Ext.relative_file_creation_time is populated in Elastic Endpoint 8.4 and above." -min_stack_version = "8.4.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,7 +18,15 @@ name = "Unsigned DLL Loaded by Svchost" risk_score = 47 rule_id = "78ef0c95-9dc2-40ac-a8da-5deb6293a14e" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -136,24 +142,23 @@ reference = "https://attack.mitre.org/techniques/T1543/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/persistence_service_windows_service_winlog.toml b/rules/windows/persistence_service_windows_service_winlog.toml index 7bd5af1c5..813526bb1 100644 --- a/rules/windows/persistence_service_windows_service_winlog.toml +++ b/rules/windows/persistence_service_windows_service_winlog.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -30,15 +28,20 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu [[transform.osquery]] label = "Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, +issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = +authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") """ [[transform.osquery]] label = "Osquery - Retrieve All Unsigned Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, +issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = +authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" """ + [rule] author = ["Elastic"] description = """ @@ -94,7 +97,13 @@ This rule looks for suspicious services being created with suspicious traits com risk_score = 47 rule_id = "da87eee1-129c-4661-a7aa-57d0b9645fad" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/persistence_services_registry.toml index 9fae059ac..c58066cae 100644 --- a/rules/windows/persistence_services_registry.toml +++ b/rules/windows/persistence_services_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -21,7 +19,16 @@ name = "Unusual Persistence via Services Registry" risk_score = 21 rule_id = "403ef0d3-8259-40c9-a5b6-d48354712e49" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -67,9 +74,6 @@ reference = "https://attack.mitre.org/techniques/T1543/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -77,6 +81,7 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml index 1cbcef5d6..da4b46589 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -111,7 +109,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml index e3c7edc80..7e42c9674 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/04/08" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -102,7 +100,15 @@ This rule looks for unsigned processes writing to the Startup folder locations. risk_score = 47 rule_id = "2fba96c0-ade5-4bce-b92f-a5df2509da3f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] type = "eql" query = ''' @@ -140,19 +146,19 @@ reference = "https://attack.mitre.org/techniques/T1547/001/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index a773d1af6..fe6a4bcdd 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -110,7 +108,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_suspicious_com_hijack_registry.toml b/rules/windows/persistence_suspicious_com_hijack_registry.toml index 8b63c6535..29a569e13 100644 --- a/rules/windows/persistence_suspicious_com_hijack_registry.toml +++ b/rules/windows/persistence_suspicious_com_hijack_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -72,7 +70,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Tactic: Privilege Escalation","Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -148,7 +156,6 @@ reference = "https://attack.mitre.org/techniques/T1546/015/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -166,9 +173,6 @@ reference = "https://attack.mitre.org/techniques/T1546/015/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -176,6 +180,7 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml index ee16c9b79..c03e8ea71 100644 --- a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml +++ b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/17" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -124,7 +123,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -142,31 +150,30 @@ framework = "MITRE ATT&CK" id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml index 7a9d64617..d74b17c8c 100644 --- a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml +++ b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/19" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -26,7 +24,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -89,7 +94,6 @@ reference = "https://attack.mitre.org/techniques/T1053/005/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -102,6 +106,7 @@ name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/persistence_suspicious_service_created_registry.toml b/rules/windows/persistence_suspicious_service_created_registry.toml index 5af4cd96a..2f2ffddac 100644 --- a/rules/windows/persistence_suspicious_service_created_registry.toml +++ b/rules/windows/persistence_suspicious_service_created_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,7 +18,16 @@ name = "Suspicious ImagePath Service Creation" risk_score = 73 rule_id = "36a8e048-d888-4f61-a8b9-0f9e2e40f317" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -51,9 +58,6 @@ reference = "https://attack.mitre.org/techniques/T1543/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -61,6 +65,7 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_sysmon_wmi_event_subscription.toml b/rules/windows/persistence_sysmon_wmi_event_subscription.toml index f575f2ec6..617d438f1 100644 --- a/rules/windows/persistence_sysmon_wmi_event_subscription.toml +++ b/rules/windows/persistence_sysmon_wmi_event_subscription.toml @@ -2,9 +2,7 @@ creation_date = "2023/02/02" integration = ["windows"] maturity = "production" -min_stack_comments = "Related integrations field type changes in 8.8.0" -min_stack_version = "8.8.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -18,13 +16,19 @@ language = "eql" license = "Elastic License v2" name = "Suspicious WMI Event Subscription Created" references = [ - "https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", - "https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96", + "https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", + "https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96", ] risk_score = 47 rule_id = "e72f87d0-a70e-4f8d-8443-a6407bc34643" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -33,18 +37,19 @@ any where event.dataset == "windows.sysmon_operational" and event.code == "21" a winlog.event_data.Operation : "Created" and winlog.event_data.Consumer : ("*subscription:CommandLineEventConsumer*", "*subscription:ActiveScriptEventConsumer*") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.003" +name = "Windows Management Instrumentation Event Subscription" +reference = "https://attack.mitre.org/techniques/T1546/003/" + - [[rule.threat.technique.subtechnique]] - id = "T1546.003" - name = "Windows Management Instrumentation Event Subscription" - reference = "https://attack.mitre.org/techniques/T1546/003/" [rule.threat.tactic] id = "TA0003" diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index cfc9e2311..0d6cd6a01 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -27,6 +25,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -34,7 +33,14 @@ Windows services typically run as SYSTEM and can be used as a privilege escalati testers may run a shell as a service to gain SYSTEM permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "System Shells via Services" @@ -81,7 +87,17 @@ This rule looks for system shells being spawned by `services.exe`, which is comp risk_score = 47 rule_id = "0022d47d-39c7-4f69-a232-4fe9dc7a3acd" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", +] timestamp_override = "event.ingested" type = "eql" @@ -112,7 +128,6 @@ reference = "https://attack.mitre.org/techniques/T1543/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -123,6 +138,7 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" diff --git a/rules/windows/persistence_temp_scheduled_task.toml b/rules/windows/persistence_temp_scheduled_task.toml index 233359c3c..f594f5be0 100644 --- a/rules/windows/persistence_temp_scheduled_task.toml +++ b/rules/windows/persistence_temp_scheduled_task.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -22,7 +20,13 @@ references = ["https://docs.microsoft.com/en-us/windows/security/threat-protecti risk_score = 47 rule_id = "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", +] type = "eql" query = ''' @@ -31,6 +35,7 @@ sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m [iam where event.action == "scheduled-task-deleted" and not user.name : "*$"] ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -48,20 +53,19 @@ reference = "https://attack.mitre.org/techniques/T1053/005/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/persistence_time_provider_mod.toml b/rules/windows/persistence_time_provider_mod.toml index 96b066dde..6349b995f 100644 --- a/rules/windows/persistence_time_provider_mod.toml +++ b/rules/windows/persistence_time_provider_mod.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -98,7 +97,16 @@ references = ["https://pentestlab.blog/2019/10/22/persistence-time-providers/"] risk_score = 47 rule_id = "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -134,7 +142,6 @@ reference = "https://attack.mitre.org/techniques/T1547/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml index a9bf18fa9..5d34c49c0 100644 --- a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml +++ b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/09" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Skoetting"] @@ -61,7 +59,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index bd955a90f..1f23de1ad 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies attempts to create new users. This is sometimes done by attackers to on a system or domain. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "User Account Creation" @@ -61,7 +65,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index de2cfc044..fdebc251f 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/01" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ changes over time. This Windows functionality has been abused by attackers to st code execution in legitimate Windows processes. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Potential Application Shimming via Sdbinst" @@ -29,7 +33,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_via_bits_job_notify_command.toml b/rules/windows/persistence_via_bits_job_notify_command.toml index b0b62e819..4dd8ee1d9 100644 --- a/rules/windows/persistence_via_bits_job_notify_command.toml +++ b/rules/windows/persistence_via_bits_job_notify_command.toml @@ -2,9 +2,7 @@ creation_date = "2021/12/04" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ that runs after a job finishes transferring data or after a job enters a specifi system. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Persistence via BITS Job Notify Cmdline" @@ -35,7 +39,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_via_hidden_run_key_valuename.toml b/rules/windows/persistence_via_hidden_run_key_valuename.toml index db0134e02..93cbe924c 100644 --- a/rules/windows/persistence_via_hidden_run_key_valuename.toml +++ b/rules/windows/persistence_via_hidden_run_key_valuename.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,7 +30,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -71,10 +79,8 @@ reference = "https://attack.mitre.org/techniques/T1547/001/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1106" name = "Native API" @@ -85,8 +91,6 @@ reference = "https://attack.mitre.org/techniques/T1106/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -94,6 +98,7 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml index 9a700a80b..9f8ee232a 100644 --- a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml +++ b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -28,7 +26,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -61,9 +68,6 @@ reference = "https://attack.mitre.org/techniques/T1547/005/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -71,6 +75,7 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml index 58ffb83f7..a981690a0 100644 --- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,13 +11,17 @@ Detects the successful hijack of Microsoft Compatibility Appraiser scheduled tas integrity level of system. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Persistence via TelemetryController Scheduled Task Hijack" -references = [ - "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence", -] +references = ["https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence"] risk_score = 73 rule_id = "68921d85-d0dc-48b3-865f-43291ca2c4f2" setup = """## Setup @@ -31,7 +33,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -64,14 +74,13 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" @@ -81,13 +90,13 @@ id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index 58ef5c3fe..51551db3b 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -107,7 +105,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Use Case: Vulnerability", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -149,7 +157,6 @@ reference = "https://attack.mitre.org/techniques/T1543/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml index 0e9060c0e..02d9eb646 100644 --- a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml +++ b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ bindings that execute code when a defined event occurs. Adversaries may use the event and execute arbitrary code when that event occurs, providing persistence on a system. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Persistence via WMI Event Subscription" @@ -30,7 +34,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -59,15 +71,14 @@ reference = "https://attack.mitre.org/techniques/T1546/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml index 625e1c3c6..8d26a4ebe 100644 --- a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml +++ b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml @@ -2,9 +2,7 @@ creation_date = "2021/03/15" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -101,7 +100,14 @@ references = [ risk_score = 73 rule_id = "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml index 9e7f7d5da..41d3b2611 100644 --- a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Execution via MSSQL xp_cmdshell Stored Procedure" @@ -62,7 +66,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -81,38 +93,37 @@ process where host.os.type == "windows" and event.type == "start" and process.pa ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" - [[rule.threat.technique.subtechnique]] id = "T1505.001" name = "SQL Stored Procedures" reference = "https://attack.mitre.org/techniques/T1505/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index 2c40fa273..3fa3d1644 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -2,9 +2,7 @@ creation_date = "2021/08/24" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -16,7 +14,14 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Web Shell Detection: Script Process Child of Common Web Processes" @@ -79,7 +84,18 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Initial Access", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", +] timestamp_override = "event.ingested" type = "eql" @@ -129,9 +145,13 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -140,22 +160,18 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" + [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" -[[rule.threat.technique]] -id = "T1047" -name = "Windows Management Instrumentation" -reference = "https://attack.mitre.org/techniques/T1047/" - - [rule.threat.tactic] id = "TA0002" diff --git a/rules/windows/persistence_werfault_reflectdebugger.toml b/rules/windows/persistence_werfault_reflectdebugger.toml index 2ca1d4296..fa3636187 100644 --- a/rules/windows/persistence_werfault_reflectdebugger.toml +++ b/rules/windows/persistence_werfault_reflectdebugger.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -21,7 +19,14 @@ references = ["https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.h risk_score = 21 rule_id = "205b52c4-9c28-4af4-8979-935f3278d61a" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -41,12 +46,11 @@ id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -59,3 +63,4 @@ reference = "https://attack.mitre.org/techniques/T1112/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/privilege_escalation_create_process_as_different_user.toml b/rules/windows/privilege_escalation_create_process_as_different_user.toml index 9f6d7a2e6..ecd4afd29 100644 --- a/rules/windows/privilege_escalation_create_process_as_different_user.toml +++ b/rules/windows/privilege_escalation_create_process_as_different_user.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml b/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml index d3675bbc2..ffd8fd020 100644 --- a/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml +++ b/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/02" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: process.Ext.effective_parent.executable, process.Ext.effective_parent.name, process.Ext.relative_file_creation_time, process.Ext.relative_file_name_modify_time" -min_stack_version = "8.4.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -17,13 +15,17 @@ index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Process Created with a Duplicated Token" -references = [ - "https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw", -] +references = ["https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw"] risk_score = 47 rule_id = "1b0b4818-5655-409b-9c73-341cac4bb73f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -64,7 +66,6 @@ framework = "MITRE ATT&CK" id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" - [[rule.threat.technique.subtechnique]] id = "T1134.001" name = "Token Impersonation/Theft" @@ -81,3 +82,4 @@ reference = "https://attack.mitre.org/techniques/T1134/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_credroaming_ldap.toml b/rules/windows/privilege_escalation_credroaming_ldap.toml index 154f98b3d..8c3dc14a8 100644 --- a/rules/windows/privilege_escalation_credroaming_ldap.toml +++ b/rules/windows/privilege_escalation_credroaming_ldap.toml @@ -2,9 +2,7 @@ creation_date = "2022/11/09" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -43,7 +41,14 @@ Audit Directory Service Changes (Success,Failure) ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Data Source: Active Directory", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Data Source: Active Directory", + "Tactic: Privilege Escalation", + "Use Case: Active Directory Monitoring", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/privilege_escalation_disable_uac_registry.toml b/rules/windows/privilege_escalation_disable_uac_registry.toml index 007400959..2dd83bb73 100644 --- a/rules/windows/privilege_escalation_disable_uac_registry.toml +++ b/rules/windows/privilege_escalation_disable_uac_registry.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -82,7 +80,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -120,6 +127,11 @@ name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" @@ -129,6 +141,7 @@ id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" @@ -138,11 +151,6 @@ id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] @@ -150,4 +158,3 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/privilege_escalation_driver_newterm_imphash.toml b/rules/windows/privilege_escalation_driver_newterm_imphash.toml index 8bcae7a6e..4b8812b03 100644 --- a/rules/windows/privilege_escalation_driver_newterm_imphash.toml +++ b/rules/windows/privilege_escalation_driver_newterm_imphash.toml @@ -1,30 +1,32 @@ [metadata] creation_date = "2022/12/19" -maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" -min_stack_version = "8.6.0" integration = ["endpoint"] -updated_date = "2024/03/28" +maturity = "production" +updated_date = "2024/05/21" [transform] [[transform.osquery]] label = "Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, +issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = +authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") """ [[transform.osquery]] label = "Osquery - Retrieve All Unsigned Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, +issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = +authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" """ + [rule] author = ["Elastic"] description = """ -Identifies the load of a driver with an original file name and signature values that were observed -for the first time during the last 30 days. This rule type can help baseline drivers installation -within your environment. +Identifies the load of a driver with an original file name and signature values that were observed for the first time +during the last 30 days. This rule type can help baseline drivers installation within your environment. """ from = "now-9m" index = ["logs-endpoint.events.library-*"] @@ -97,7 +99,15 @@ references = ["https://www.elastic.co/kr/security-labs/stopping-vulnerable-drive risk_score = 47 rule_id = "df0fd41e-5590-4965-ad5e-cd079ec22fa9" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" @@ -105,6 +115,7 @@ query = ''' event.category:"driver" and host.os.type:windows and event.action:"load" ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -117,8 +128,6 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -131,6 +140,7 @@ name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -142,3 +152,5 @@ value = ["dll.pe.original_file_name", "dll.code_signature.subject_name"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-30d" + + diff --git a/rules/windows/privilege_escalation_expired_driver_loaded.toml b/rules/windows/privilege_escalation_expired_driver_loaded.toml index a94586c12..5026c5b06 100644 --- a/rules/windows/privilege_escalation_expired_driver_loaded.toml +++ b/rules/windows/privilege_escalation_expired_driver_loaded.toml @@ -2,9 +2,7 @@ creation_date = "2023/06/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -18,12 +16,19 @@ language = "eql" license = "Elastic License v2" name = "Expired or Revoked Driver Loaded" references = [ - "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN" + "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN", ] risk_score = 47 rule_id = "d12bac54-ab2a-4159-933f-d7bcefa7b61d" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -32,6 +37,7 @@ driver where host.os.type == "windows" and process.pid == 4 and dll.code_signature.status : ("errorExpired", "errorRevoked") ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -44,20 +50,19 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/privilege_escalation_exploit_cve_202238028.toml b/rules/windows/privilege_escalation_exploit_cve_202238028.toml index a25aab233..d73ec6d3b 100644 --- a/rules/windows/privilege_escalation_exploit_cve_202238028.toml +++ b/rules/windows/privilege_escalation_exploit_cve_202238028.toml @@ -2,27 +2,32 @@ creation_date = "2024/04/23" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = """ -Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution. -""" +description = "Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.\n" from = "now-9m" index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential privilege escalation via CVE-2022-38028" references = [ - "https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/" + "https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/", ] risk_score = 73 rule_id = "dffbd37c-d4c5-46f8-9181-5afdd9172b4c" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -32,6 +37,7 @@ file where host.os.type == "windows" and "?:\\*\\Windows\\WinSxS\\amd64_microsoft-windows-printing-printtopdf_*\\MPDW-constraints.js") ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -44,7 +50,6 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -52,6 +57,7 @@ id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml index 11fcae30c..5208f641c 100644 --- a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml +++ b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/13" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -29,7 +27,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -58,7 +65,6 @@ reference = "https://attack.mitre.org/techniques/T1484/001/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/privilege_escalation_group_policy_iniscript.toml b/rules/windows/privilege_escalation_group_policy_iniscript.toml index e7e5d9fdd..51ebb21e5 100644 --- a/rules/windows/privilege_escalation_group_policy_iniscript.toml +++ b/rules/windows/privilege_escalation_group_policy_iniscript.toml @@ -2,9 +2,7 @@ creation_date = "2021/11/08" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -92,7 +90,7 @@ tags = [ "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring" + "Use Case: Active Directory Monitoring", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml index ba092d3ff..cd65fe208 100644 --- a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml +++ b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml @@ -2,9 +2,7 @@ creation_date = "2021/11/08" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -74,7 +72,7 @@ tags = [ "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring" + "Use Case: Active Directory Monitoring", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml index f40348e6c..53ad7a334 100644 --- a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml +++ b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml @@ -2,9 +2,7 @@ creation_date = "2021/11/08" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -95,7 +93,7 @@ tags = [ "Tactic: Lateral Movement", "Data Source: Active Directory", "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring" + "Use Case: Active Directory Monitoring", ] timestamp_override = "event.ingested" type = "query" @@ -136,10 +134,8 @@ reference = "https://attack.mitre.org/techniques/T1484/001/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1570" name = "Lateral Tool Transfer" @@ -150,3 +146,4 @@ reference = "https://attack.mitre.org/techniques/T1570/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/privilege_escalation_installertakeover.toml b/rules/windows/privilege_escalation_installertakeover.toml index aed4bd9d3..d1f06892c 100644 --- a/rules/windows/privilege_escalation_installertakeover.toml +++ b/rules/windows/privilege_escalation_installertakeover.toml @@ -2,9 +2,7 @@ creation_date = "2021/11/25" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -110,7 +108,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Use Case: Vulnerability", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml index 07bf29f33..83e22935c 100644 --- a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml +++ b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml @@ -2,9 +2,7 @@ creation_date = "2022/04/27" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -27,7 +25,15 @@ references = [ risk_score = 73 rule_id = "e4e31051-ee01-4307-a6ee-b21b186958f4" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Credential Access", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", +] type = "eql" query = ''' diff --git a/rules/windows/privilege_escalation_lsa_auth_package.toml b/rules/windows/privilege_escalation_lsa_auth_package.toml index 9464e43ef..2815d0320 100644 --- a/rules/windows/privilege_escalation_lsa_auth_package.toml +++ b/rules/windows/privilege_escalation_lsa_auth_package.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -21,7 +19,14 @@ name = "Potential LSA Authentication Package Abuse" risk_score = 47 rule_id = "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_make_token_local.toml b/rules/windows/privilege_escalation_make_token_local.toml index 9ee903cf9..4127468df 100644 --- a/rules/windows/privilege_escalation_make_token_local.toml +++ b/rules/windows/privilege_escalation_make_token_local.toml @@ -2,15 +2,13 @@ creation_date = "2023/12/04" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/01/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies interactive logon attempt with alternate credentials and by an unusual process. Adversaries may -create a new token to escalate privileges and bypass access controls. +Identifies interactive logon attempt with alternate credentials and by an unusual process. Adversaries may create a new +token to escalate privileges and bypass access controls. """ from = "now-9m" index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] @@ -74,3 +72,4 @@ reference = "https://attack.mitre.org/techniques/T1134/003/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_named_pipe_impersonation.toml b/rules/windows/privilege_escalation_named_pipe_impersonation.toml index ff81077a5..1edba51e5 100644 --- a/rules/windows/privilege_escalation_named_pipe_impersonation.toml +++ b/rules/windows/privilege_escalation_named_pipe_impersonation.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -39,7 +37,13 @@ Identifies a privilege escalation attempt via named pipe impersonation. An adver utilizing a framework such Metasploit's meterpreter getsystem command. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Privilege Escalation via Named Pipe Impersonation" @@ -116,7 +120,7 @@ tags = [ "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml b/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml index d8b013c2e..5787866e3 100644 --- a/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml +++ b/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml @@ -2,25 +2,23 @@ creation_date = "2023/11/15" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" -min_stack_version = "8.4.0" -updated_date = "2024/01/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access token -forging capability that are often abused to bypass access control restrictions. +Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access +token forging capability that are often abused to bypass access control restrictions. """ from = "now-9m" index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] language = "kuery" license = "Elastic License v2" name = "First Time Seen NewCredentials Logon Process" +references = ["https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-manipulation"] risk_score = 47 rule_id = "e468f3f6-7c4c-45bb-846a-053738b3fe5d" severity = "medium" -references = ["https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-manipulation"] tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "new_terms" @@ -42,15 +40,17 @@ name = "Token Impersonation/Theft" reference = "https://attack.mitre.org/techniques/T1134/001/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" + + diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml index 8759499b7..ed74562df 100644 --- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml +++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml @@ -2,9 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -87,7 +85,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Sysmon" + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" @@ -152,19 +150,19 @@ reference = "https://attack.mitre.org/techniques/T1574/001/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml index 02021929a..4c4ac047e 100644 --- a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml +++ b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -22,7 +20,14 @@ references = ["https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-gro risk_score = 47 rule_id = "8f3e91c7-d791-4704-80a1-42c160d7aa27" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -49,6 +54,7 @@ reference = "https://attack.mitre.org/techniques/T1547/" id = "T1547.010" name = "Port Monitors" reference = "https://attack.mitre.org/techniques/T1547/010/" + [[rule.threat.technique.subtechnique]] id = "T1547.012" name = "Print Processors" @@ -70,6 +76,7 @@ reference = "https://attack.mitre.org/techniques/T1547/" id = "T1547.010" name = "Port Monitors" reference = "https://attack.mitre.org/techniques/T1547/010/" + [[rule.threat.technique.subtechnique]] id = "T1547.012" name = "Print Processors" diff --git a/rules/windows/privilege_escalation_posh_token_impersonation.toml b/rules/windows/privilege_escalation_posh_token_impersonation.toml index 8542b8686..104f6ed94 100644 --- a/rules/windows/privilege_escalation_posh_token_impersonation.toml +++ b/rules/windows/privilege_escalation_posh_token_impersonation.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/17" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -129,7 +128,13 @@ references = [ risk_score = 47 rule_id = "11dd9713-0ec6-4110-9707-32daae1ee68c" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml index c0752b55e..03ba85956 100644 --- a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml +++ b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -26,7 +24,16 @@ references = [ risk_score = 73 rule_id = "bd7eefee-f671-494e-98df-f01daf9e5f17" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml index 80d175281..2b31df40e 100644 --- a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -33,7 +31,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml index da760c6a0..8fee45cb7 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/06" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -35,7 +33,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml index 04705ffe7..f6e2619c9 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -108,7 +106,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml index 369de22ae..07e9726f3 100644 --- a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml +++ b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -21,7 +19,15 @@ references = ["https://www.tiraniddo.dev/2017/05/exploiting-environment-variable risk_score = 73 rule_id = "d563aaba-2e72-462b-8658-3e5ea22db3a6" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml index 818894d17..ed2a9f31a 100644 --- a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml +++ b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml @@ -2,9 +2,7 @@ creation_date = "2021/12/12" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -36,7 +34,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Use Case: Vulnerability"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", + "Use Case: Vulnerability", +] timestamp_override = "event.ingested" type = "eql" @@ -49,7 +56,6 @@ iam where event.action == "renamed-user-account" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" diff --git a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml index a7540a238..fb37b69ba 100644 --- a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml +++ b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -27,6 +25,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -80,7 +79,17 @@ The `sc.exe` command line utility is used to manage and control Windows services risk_score = 21 rule_id = "e8571d5f-bea1-46c2-9f56-998de2d3ed95" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -108,13 +117,19 @@ id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -123,35 +138,29 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" + [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" -[[rule.threat.technique]] -id = "T1047" -name = "Windows Management Instrumentation" -reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [[rule.threat.technique.subtechnique]] id = "T1218.010" name = "Regsvr32" @@ -163,6 +172,7 @@ name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml index df47b515e..20cd76492 100644 --- a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml +++ b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml @@ -2,9 +2,7 @@ creation_date = "2022/05/11" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/21" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -26,7 +24,15 @@ references = [ risk_score = 73 rule_id = "6bed021a-0afb-461c-acbe-ffdb9574d3f3" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Use Case: Vulnerability"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", + "Use Case: Vulnerability", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml b/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml index 842ee2320..52b35de4d 100644 --- a/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml +++ b/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml @@ -2,9 +2,7 @@ creation_date = "2022/10/20" integration = ["windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/01/16" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml index 2b333cea9..bc934e48b 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/28" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -29,7 +27,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -58,7 +66,6 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -76,7 +83,6 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml index cf28f5d3c..252307c82 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -29,7 +27,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -60,7 +68,6 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -78,7 +85,6 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -96,3 +102,4 @@ reference = "https://attack.mitre.org/techniques/T1559/001/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml index 094f11fde..dc53b6788 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -28,7 +26,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -57,7 +65,6 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -75,7 +82,6 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index 6e72533b8..9989095fd 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled stealthily execute code with elevated permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "UAC Bypass via DiskCleanup Scheduled Task Hijack" @@ -28,7 +32,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -58,7 +71,6 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -76,7 +88,6 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml index f7d97510c..2f8b17208 100644 --- a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml +++ b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/27" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,7 +30,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -62,7 +69,6 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -73,6 +79,8 @@ reference = "https://attack.mitre.org/techniques/T1548/" id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" + + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" @@ -89,4 +97,3 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index c6d243d34..d0c4a6726 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/17" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -39,7 +37,13 @@ Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass elevated permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Bypass UAC via Event Viewer" @@ -108,7 +112,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -140,7 +153,6 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index e664bf293..7d67405a5 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/26" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -39,7 +37,13 @@ Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Attackers may bypass UAC to stealthily execute code with elevated permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "UAC Bypass Attempt via Windows Directory Masquerading" @@ -108,7 +112,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -135,9 +148,18 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" @@ -147,15 +169,6 @@ id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" - -[[rule.threat.technique.subtechnique]] -id = "T1036.005" -name = "Match Legitimate Name or Location" -reference = "https://attack.mitre.org/techniques/T1036/005/" [rule.threat.tactic] diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml index 5d47b701d..54e126d89 100644 --- a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/14" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -108,7 +106,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -138,9 +146,18 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.014" +name = "MMC" +reference = "https://attack.mitre.org/techniques/T1218/014/" + + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" @@ -149,15 +166,6 @@ reference = "https://attack.mitre.org/techniques/T1548/" id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" -[[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" - -[[rule.threat.technique.subtechnique]] -id = "T1218.014" -name = "MMC" -reference = "https://attack.mitre.org/techniques/T1218/014/" diff --git a/rules/windows/privilege_escalation_unquoted_service_path.toml b/rules/windows/privilege_escalation_unquoted_service_path.toml index 1b27f6a89..c84307aa9 100644 --- a/rules/windows/privilege_escalation_unquoted_service_path.toml +++ b/rules/windows/privilege_escalation_unquoted_service_path.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/13" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -21,7 +19,13 @@ name = "Potential Exploitation of an Unquoted Service Path Vulnerability" risk_score = 21 rule_id = "12de29d4-bbb0-4eef-b687-857e8a163870" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -36,7 +40,6 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" @@ -47,7 +50,9 @@ name = "Path Interception by Unquoted Path" reference = "https://attack.mitre.org/techniques/T1574/009/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index 2a2df5486..4c3ec0857 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -39,7 +37,13 @@ Identifies Windows programs run from unexpected parent processes. This could ind activity on a system. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Unusual Parent-Child Relationship" @@ -108,7 +112,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml index 1cc52ef44..f9fa449d1 100644 --- a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml +++ b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/06" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -35,7 +33,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml index 62cfc4928..8aae57f66 100644 --- a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml +++ b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -29,7 +27,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -92,6 +99,7 @@ name = "Process Hollowing" reference = "https://attack.mitre.org/techniques/T1055/012/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/privilege_escalation_via_ppid_spoofing.toml b/rules/windows/privilege_escalation_via_ppid_spoofing.toml index c5c94e637..57c9603c9 100644 --- a/rules/windows/privilege_escalation_via_ppid_spoofing.toml +++ b/rules/windows/privilege_escalation_via_ppid_spoofing.toml @@ -2,9 +2,7 @@ creation_date = "2022/10/20" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -26,7 +24,13 @@ references = [ risk_score = 73 rule_id = "26b01043-4f04-4d2f-882a-5a1d2e95751b" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml index 3cdd594f3..52704a927 100644 --- a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml +++ b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/13" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -36,7 +34,13 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_via_token_theft.toml b/rules/windows/privilege_escalation_via_token_theft.toml index 62f573c97..4e4c0049a 100644 --- a/rules/windows/privilege_escalation_via_token_theft.toml +++ b/rules/windows/privilege_escalation_via_token_theft.toml @@ -2,9 +2,7 @@ creation_date = "2022/10/20" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup, process.Ext.effective_parent.executable" -min_stack_version = "8.4.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -24,7 +22,13 @@ references = [ risk_score = 73 rule_id = "02a23ee7-c8f8-4701-b99d-e9038ce313cb" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml index cd608a639..034fdc255 100644 --- a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml +++ b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml @@ -2,9 +2,7 @@ creation_date = "2022/02/07" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules_building_block/collection_archive_data_zip_imageload.toml b/rules_building_block/collection_archive_data_zip_imageload.toml index a8f4f0650..445af055e 100644 --- a/rules_building_block/collection_archive_data_zip_imageload.toml +++ b/rules_building_block/collection_archive_data_zip_imageload.toml @@ -2,29 +2,34 @@ creation_date = "2023/07/06" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the image load of a compression DLL. Adversaries will often compress and encrypt data in preparation for exfiltration. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.library-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Compression DLL Loaded by Unusual Process" risk_score = 21 rule_id = "d197478e-39f0-4347-a22f-ba654718b148" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" -building_block_type = "default" query = ''' library where host.os.type == "windows" and event.action == "load" and @@ -48,6 +53,7 @@ library where host.os.type == "windows" and event.action == "load" and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -55,7 +61,9 @@ id = "T1560" name = "Archive Collected Data" reference = "https://attack.mitre.org/techniques/T1560/" + [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + diff --git a/rules_building_block/collection_common_compressed_archived_file.toml b/rules_building_block/collection_common_compressed_archived_file.toml index 7799e6863..8cbf9f554 100644 --- a/rules_building_block/collection_common_compressed_archived_file.toml +++ b/rules_building_block/collection_common_compressed_archived_file.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = "endpoint" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -34,6 +32,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "windows" and event.type in ("creation", "change") and process.executable != null and not user.id : ("S-1-5-18", "S-1-5-17") and file.Ext.header_bytes : ( @@ -115,59 +114,58 @@ file where host.os.type == "windows" and event.type in ("creation", "change") an [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1074" +name = "Data Staged" +reference = "https://attack.mitre.org/techniques/T1074/" +[[rule.threat.technique.subtechnique]] +id = "T1074.001" +name = "Local Data Staging" +reference = "https://attack.mitre.org/techniques/T1074/001/" + + +[[rule.threat.technique]] +id = "T1560" +name = "Archive Collected Data" +reference = "https://attack.mitre.org/techniques/T1560/" +[[rule.threat.technique.subtechnique]] +id = "T1560.001" +name = "Archive via Utility" +reference = "https://attack.mitre.org/techniques/T1560/001/" + + [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - - [[rule.threat.technique]] - id = "T1560" - name = "Archive Collected Data" - reference = "https://attack.mitre.org/techniques/T1560/" - - [[rule.threat.technique.subtechnique]] - id = "T1560.001" - name = "Archive via Utility" - reference = "https://attack.mitre.org/techniques/T1560/001/" - - [[rule.threat.technique]] - id = "T1074" - name = "Data Staged" - reference = "https://attack.mitre.org/techniques/T1074/" - - [[rule.threat.technique.subtechnique]] - id = "T1074.001" - name = "Local Data Staging" - reference = "https://attack.mitre.org/techniques/T1074/001/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1132" +name = "Data Encoding" +reference = "https://attack.mitre.org/techniques/T1132/" +[[rule.threat.technique.subtechnique]] +id = "T1132.001" +name = "Standard Encoding" +reference = "https://attack.mitre.org/techniques/T1132/001/" + + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - - [[rule.threat.technique]] - id = "T1132" - name = "Data Encoding" - reference = "https://attack.mitre.org/techniques/T1132/" - - [[rule.threat.technique.subtechnique]] - id = "T1132.001" - name = "Standard Encoding" - reference = "https://attack.mitre.org/techniques/T1132/001/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat.technique]] - id = "T1027" - name = "Obfuscated Files or Information" - reference = "https://attack.mitre.org/techniques/T1027/" diff --git a/rules_building_block/collection_files_staged_in_recycle_bin_root.toml b/rules_building_block/collection_files_staged_in_recycle_bin_root.toml index bfebdb55c..9b62ea0f7 100644 --- a/rules_building_block/collection_files_staged_in_recycle_bin_root.toml +++ b/rules_building_block/collection_files_staged_in_recycle_bin_root.toml @@ -2,28 +2,33 @@ creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies files written to the root of the Recycle Bin folder instead of subdirectories. Adversaries may place files in the root of the Recycle Bin in preparation for exfiltration or to evade defenses. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.file-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "File Staged in Root Folder of Recycle Bin" risk_score = 21 rule_id = "57bccf1d-daf5-4e1a-9049-ff79b5254704" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -33,20 +38,22 @@ file where host.os.type == "windows" and event.type == "creation" and not file.name : "desktop.ini" ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1074" name = "Data Staged" reference = "https://attack.mitre.org/techniques/T1074/" +[[rule.threat.technique.subtechnique]] +id = "T1074.001" +name = "Local Data Staging" +reference = "https://attack.mitre.org/techniques/T1074/001/" - [[rule.threat.technique.subtechnique]] - id = "T1074.001" - name = "Local Data Staging" - reference = "https://attack.mitre.org/techniques/T1074/001/" [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + diff --git a/rules_building_block/collection_linux_suspicious_clipboard_activity.toml b/rules_building_block/collection_linux_suspicious_clipboard_activity.toml index d48ae3695..7705f9a89 100644 --- a/rules_building_block/collection_linux_suspicious_clipboard_activity.toml +++ b/rules_building_block/collection_linux_suspicious_clipboard_activity.toml @@ -2,20 +2,19 @@ creation_date = "2023/07/27" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ This rule monitors for the usage of the most common clipboard utilities on unix systems by an uncommon process group leader. Adversaries may collect data stored in the clipboard from users copying information within or between applications. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +interval = "60m" language = "kuery" license = "Elastic License v2" name = "Potential Suspicious Clipboard Activity Detected" @@ -23,32 +22,33 @@ risk_score = 21 rule_id = "884e87cc-c67b-4c90-a4ed-e1e24a940c82" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Collection", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] -type = "new_terms" + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Collection", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" -building_block_type = "default" +type = "new_terms" + query = ''' event.category:process and host.os.type:"linux" and event.type:"start" and event.action:("exec" or "exec_event" or "executed" or "process_started") and process.name:("xclip" or "xsel" or "wl-clipboard" or "clipman" or "copyq") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1115" name = "Clipboard Data" reference = "https://attack.mitre.org/techniques/T1115/" + [rule.threat.tactic] id = "TA0009" name = "Collection" @@ -57,7 +57,8 @@ reference = "https://attack.mitre.org/tactics/TA0009/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.group_leader.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" + + diff --git a/rules_building_block/collection_outlook_email_archive.toml b/rules_building_block/collection_outlook_email_archive.toml index 6b5b04cb0..3362ff8a2 100644 --- a/rules_building_block/collection_outlook_email_archive.toml +++ b/rules_building_block/collection_outlook_email_archive.toml @@ -2,29 +2,34 @@ creation_date = "2023/08/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ -Identifies commands containing references to Outlook data files extensions, which can potentially indicate the search, access, or -modification of these files. +Identifies commands containing references to Outlook data files extensions, which can potentially indicate the search, +access, or modification of these files. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.process-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Accessing Outlook Data Files" risk_score = 21 rule_id = "2e311539-cd88-4a85-a301-04f38795007c" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" -building_block_type = "default" query = ''' process where host.os.type == "windows" and event.type == "start" and process.args : ("*.ost", "*.pst") and @@ -35,19 +40,22 @@ process where host.os.type == "windows" and event.type == "start" and process.ar ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" - [[rule.threat.technique.subtechnique]] id = "T1114.001" name = "Local Email Collection" reference = "https://attack.mitre.org/techniques/T1114/001/" + + [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + diff --git a/rules_building_block/command_and_control_bitsadmin_activity.toml b/rules_building_block/command_and_control_bitsadmin_activity.toml index cfc5929a8..5090c481c 100644 --- a/rules_building_block/command_and_control_bitsadmin_activity.toml +++ b/rules_building_block/command_and_control_bitsadmin_activity.toml @@ -2,29 +2,34 @@ creation_date = "2023/08/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism. Adversaries may abuse BITS to persist, download, execute, and even clean up after running malicious code. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.process-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Bitsadmin Activity" risk_score = 21 rule_id = "8eec4df1-4b4b-4502-b6c3-c788714604c9" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" -building_block_type = "default" query = ''' process where host.os.type == "windows" and event.type == "start" and @@ -40,6 +45,7 @@ process where host.os.type == "windows" and event.type == "start" and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -52,7 +58,6 @@ reference = "https://attack.mitre.org/techniques/T1105/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -65,7 +70,6 @@ reference = "https://attack.mitre.org/techniques/T1197/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -78,3 +82,4 @@ reference = "https://attack.mitre.org/techniques/T1197/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules_building_block/command_and_control_certutil_network_connection.toml b/rules_building_block/command_and_control_certutil_network_connection.toml index 15bce7b66..c2e4b44ff 100644 --- a/rules_building_block/command_and_control_certutil_network_connection.toml +++ b/rules_building_block/command_and_control_certutil_network_connection.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/19" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" bypass_bbr_timing = true [transform] diff --git a/rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml b/rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml index 1caa23c11..3a1341bca 100644 --- a/rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml +++ b/rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,18 +29,19 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" + [rule] author = ["Elastic"] building_block_type = "default" description = """ This rule monitors for X11 forwarding via SSH. X11 forwarding is a feature that allows users to run graphical applications on a remote server and display the application's graphical user interface on their local machine. Attackers -can abuse X11 forwarding for tunneling their GUI-based tools, pivot through compromised systems, and create covert +can abuse X11 forwarding for tunneling their GUI-based tools, pivot through compromised systems, and create covert communication channels, enabling lateral movement and facilitating remote control of systems within a network. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.*", "endgame-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Potential Linux SSH X11 Forwarding" @@ -110,31 +109,34 @@ risk_score = 21 rule_id = "29f0cf93-d17c-4b12-b4f3-a433800539fa" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Rule Type: BBR" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name in ("ssh", "sshd") and process.args in ("-X", "-Y") and process.args_count >= 3 and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules_building_block/command_and_control_non_standard_http_port.toml b/rules_building_block/command_and_control_non_standard_http_port.toml index db386d382..44d1e9f9f 100644 --- a/rules_building_block/command_and_control_non_standard_http_port.toml +++ b/rules_building_block/command_and_control_non_standard_http_port.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/10" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,18 +29,18 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" + [rule] author = ["Elastic"] building_block_type = "default" description = """ -Identifies potentially malicious processes communicating via a port paring typically not associated with HTTP/HTTPS. -For example, HTTP over port 8443 or port 440 as opposed to the traditional port 80 , 443. -Adversaries may make changes to the standard port a protocol uses to bypass filtering or -muddle analysis/parsing of network data. +Identifies potentially malicious processes communicating via a port paring typically not associated with HTTP/HTTPS. For +example, HTTP over port 8443 or port 440 as opposed to the traditional port 80 , 443. Adversaries may make changes to +the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.*", "endgame-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Potential Non-Standard Port HTTP/HTTPS connection" @@ -108,46 +106,46 @@ risk_score = 21 rule_id = "62b68eb2-1e47-4da7-85b6-8f478db5b272" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' network where process.name : ("http", "https") and destination.port not in (80, 443) and event.action in ( "connection_attempted", "ipv4_connection_attempt_event", "connection_accepted", "ipv4_connection_accept_event" ) and destination.ip != "127.0.0.1" ''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + [[rule.threat.technique]] id = "T1571" name = "Non-Standard Port" reference = "https://attack.mitre.org/techniques/T1571/" -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - -[[rule.threat.technique.subtechnique]] -id = "T1071.001" -name = "Web Protocols" -reference = "https://attack.mitre.org/techniques/T1071/001/" - [[rule.threat.technique]] id = "T1573" name = "Encrypted Channel" reference = "https://attack.mitre.org/techniques/T1573/" - [[rule.threat.technique.subtechnique]] id = "T1573.001" name = "Symmetric Cryptography" @@ -158,7 +156,10 @@ id = "T1573.002" name = "Asymmetric Cryptography" reference = "https://attack.mitre.org/techniques/T1573/002/" + + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules_building_block/credential_access_mdmp_file_creation.toml b/rules_building_block/credential_access_mdmp_file_creation.toml index c9da48cd0..938d4cba5 100644 --- a/rules_building_block/credential_access_mdmp_file_creation.toml +++ b/rules_building_block/credential_access_mdmp_file_creation.toml @@ -1,14 +1,13 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/09/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the creation or modification of a medium size memory dump file which can indicate an attempt to access credentials from a process memory. @@ -21,9 +20,15 @@ name = "Potential Credential Access via Memory Dump File Creation" risk_score = 21 rule_id = "e707a7be-cc52-41ac-8ab3-d34b38c20005" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -90,3 +95,4 @@ reference = "https://attack.mitre.org/techniques/T1003/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules_building_block/credential_access_mdmp_file_unusual_extension.toml b/rules_building_block/credential_access_mdmp_file_unusual_extension.toml index 2a9735df4..666c28d4f 100644 --- a/rules_building_block/credential_access_mdmp_file_unusual_extension.toml +++ b/rules_building_block/credential_access_mdmp_file_unusual_extension.toml @@ -1,14 +1,13 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/09/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the creation of a memory dump file with an unusual extension, which can indicate an attempt to disguise a memory dump as another file type to bypass security defenses. @@ -21,9 +20,16 @@ name = "Memory Dump File with Unusual Extension" risk_score = 21 rule_id = "c0b9dc99-c696-4779-b086-0d37dc2b3778" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -61,8 +67,6 @@ reference = "https://attack.mitre.org/techniques/T1003/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -75,7 +79,9 @@ name = "Masquerade File Type" reference = "https://attack.mitre.org/techniques/T1036/008/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/credential_access_win_private_key_access.toml b/rules_building_block/credential_access_win_private_key_access.toml index 42b71291c..9ae2286ca 100644 --- a/rules_building_block/credential_access_win_private_key_access.toml +++ b/rules_building_block/credential_access_win_private_key_access.toml @@ -2,28 +2,31 @@ creation_date = "2023/08/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = """ -Attackers may try to access private keys, e.g. ssh, in order to gain further authenticated access to the environment. -""" +building_block_type = "default" +description = "Attackers may try to access private keys, e.g. ssh, in order to gain further authenticated access to the environment.\n" from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.process-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Attempted Private Key Access" risk_score = 21 rule_id = "c55badd3-3e61-4292-836f-56209dc8a601" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" -building_block_type = "default" query = ''' process where host.os.type == "windows" and event.type == "start" and @@ -47,6 +50,7 @@ process where host.os.type == "windows" and event.type == "start" and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -64,3 +68,4 @@ reference = "https://attack.mitre.org/techniques/T1552/004/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml b/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml index 399b4d52f..8e6fdd616 100644 --- a/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml +++ b/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml @@ -2,28 +2,32 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = """ -Attackers may abuse cmd.exe commands to reassemble binary fragments into a malicious payload. -""" +building_block_type = "default" +description = "Attackers may abuse cmd.exe commands to reassemble binary fragments into a malicious payload.\n" from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.process-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Binary Content Copy via Cmd.exe" risk_score = 21 rule_id = "53dedd83-1be7-430f-8026-363256395c8b" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" -building_block_type = "default" query = ''' process where host.os.type == "windows" and event.type == "start" and @@ -32,33 +36,32 @@ process where host.os.type == "windows" and event.type == "start" and (process.args : "copy" and process.args : "/b")) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules_building_block/defense_evasion_cmstp_execution.toml b/rules_building_block/defense_evasion_cmstp_execution.toml index a3bc97b36..75a9ca7c7 100644 --- a/rules_building_block/defense_evasion_cmstp_execution.toml +++ b/rules_building_block/defense_evasion_cmstp_execution.toml @@ -2,32 +2,35 @@ creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program to install Connection Manager service profiles, which accept installation information file (INF) files. Adversaries may abuse CMSTP to proxy the execution of malicious code by supplying INF files that contain malicious commands. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.process-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Potential Defense Evasion via CMSTP.exe" -references = [ - "https://attack.mitre.org/techniques/T1218/003/", -] +references = ["https://attack.mitre.org/techniques/T1218/003/"] risk_score = 21 rule_id = "bd3d058d-5405-4cee-b890-337f09366ba2" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -53,3 +56,4 @@ reference = "https://attack.mitre.org/techniques/T1218/003/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml b/rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml index 77c7aae2f..e59ad5a89 100644 --- a/rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml +++ b/rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml @@ -1,14 +1,13 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the creation of an archive file with an unusual extension. Attackers may attempt to evade detection by masquerading files using the file extension values used by image, audio, or document file types. @@ -21,9 +20,15 @@ name = "Archive File with Unusual Extension" risk_score = 21 rule_id = "cffbaf47-9391-4e09-a83c-1f27d7474826" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -49,6 +54,7 @@ file where host.os.type == "windows" and event.action != "deletion" and not (process.executable : "?:\\Windows\\System32\\inetsrv\\w3wp.exe" and file.path : "?:\\inetpub\\temp\\IIS Temporary Compressed Files\\*") ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -61,7 +67,9 @@ name = "Masquerade File Type" reference = "https://attack.mitre.org/techniques/T1036/008/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml b/rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml index 303f5a25a..0e9ddb9fa 100644 --- a/rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml +++ b/rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml @@ -1,14 +1,13 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/08/04" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies suspicious child processes of communications apps, which can indicate a potential masquerading as the communication app or the exploitation of a vulnerability on the application causing it to execute code. @@ -21,9 +20,16 @@ name = "Suspicious Communication App Child Process" risk_score = 21 rule_id = "adbfa3ee-777e-4747-b6b0-7bd645f30880" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -255,7 +261,6 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -266,16 +271,17 @@ id = "T1036.005" name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -283,6 +289,7 @@ id = "T1554" name = "Compromise Client Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules_building_block/defense_evasion_creation_of_hidden_files_directories.toml b/rules_building_block/defense_evasion_creation_of_hidden_files_directories.toml index 0e918df36..8bad6f8fe 100644 --- a/rules_building_block/defense_evasion_creation_of_hidden_files_directories.toml +++ b/rules_building_block/defense_evasion_creation_of_hidden_files_directories.toml @@ -2,20 +2,18 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" description = """ -Identify activity related where adversaries can add the 'hidden' flag to files to hide -them from the user in an attempt to evade detection. +Identify activity related where adversaries can add the 'hidden' flag to files to hide them from the user in an attempt +to evade detection. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Hidden Files and Directories via Hidden Flag" @@ -23,36 +21,39 @@ risk_score = 21 rule_id = "5124e65f-df97-4471-8dcb-8e3953b3ea97" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' file where event.type == "creation" and process.name == "chflags" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" - [[rule.threat.technique.subtechnique]] id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_dll_hijack.toml b/rules_building_block/defense_evasion_dll_hijack.toml index 35f81a544..68d23e228 100644 --- a/rules_building_block/defense_evasion_dll_hijack.toml +++ b/rules_building_block/defense_evasion_dll_hijack.toml @@ -2,29 +2,34 @@ creation_date = "2023/07/12" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: dll.Ext.relative_file_creation_time is populated in Elastic Endpoint 8.4 and above." -min_stack_version = "8.4.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies digitally signed (trusted) processes loading unsigned DLLs. Attackers may plant their payloads into the application folder and invoke the legitimate application to execute the payload, masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.library-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Unsigned DLL Loaded by a Trusted Process" risk_score = 21 rule_id = "c20cd758-07b1-46a1-b03f-fa66158258b8" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -82,7 +87,6 @@ framework = "MITRE ATT&CK" id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique.subtechnique]] id = "T1574.001" name = "DLL Search Order Hijacking" @@ -95,8 +99,8 @@ reference = "https://attack.mitre.org/techniques/T1574/002/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml b/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml index 11d2c4033..79332fc53 100644 --- a/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml +++ b/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml @@ -2,27 +2,32 @@ creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/09/25" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the execution of DotNet ClickOnce installer via Dfsvc.exe trampoline. Adversaries may take advantage of ClickOnce to proxy execution of malicious payloads via trusted Microsoft processes. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Execution via Microsoft DotNet ClickOnce Host" risk_score = 21 rule_id = "5297b7f1-bccd-4611-93fa-ea342a01ff84" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] -building_block_type = "default" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] type = "eql" query = ''' @@ -35,7 +40,6 @@ sequence by user.id with maxspan=5s [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" @@ -45,13 +49,15 @@ reference = "https://attack.mitre.org/techniques/T1127/" id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + - [[rule.threat.technique.subtechnique]] - id = "T1218.011" - name = "Rundll32" - reference = "https://attack.mitre.org/techniques/T1218/011/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_download_susp_extension.toml b/rules_building_block/defense_evasion_download_susp_extension.toml index 1a64a5acf..0e65e8b4c 100644 --- a/rules_building_block/defense_evasion_download_susp_extension.toml +++ b/rules_building_block/defense_evasion_download_susp_extension.toml @@ -2,32 +2,38 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ -Identifies unusual files downloaded from outside the local network that have the potential to be abused for code execution. +Identifies unusual files downloaded from outside the local network that have the potential to be abused for code +execution. """ -references = [ - "https://x.com/Laughing_Mantis/status/1518766501385318406", - "https://wikileaks.org/ciav7p1/cms/page_13763375.html" -] from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.file-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "File with Suspicious Extension Downloaded" +references = [ + "https://x.com/Laughing_Mantis/status/1518766501385318406", + "https://wikileaks.org/ciav7p1/cms/page_13763375.html", +] risk_score = 21 rule_id = "8d366588-cbd6-43ba-95b4-0971c3f906e5" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" -building_block_type = "default" query = ''' file where host.os.type == "windows" and event.type == "creation" and @@ -55,17 +61,16 @@ file where host.os.type == "windows" and event.type == "creation" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" - [[rule.threat.technique]] - name = "System Binary Proxy Execution" - id = "T1218" - reference = "https://attack.mitre.org/techniques/T1218/" - - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml b/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml index 2233ab0f3..2eecbdb9c 100644 --- a/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml +++ b/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml @@ -2,33 +2,39 @@ creation_date = "2023/09/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the execution of a command via Microsoft Visual Studio Pre or Post build events. Adversaries may backdoor a trusted visual studio project to execute a malicious command during the project build process. """ -references = [ - "https://docs.microsoft.com/en-us/visualstudio/ide/reference/pre-build-event-post-build-event-command-line-dialog-box?view=vs-2022", - "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html", - "https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/", - "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Execution/execution_evasion_visual_studio_prebuild_event.evtx" -] from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.process-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Execution via MS VisualStudio Pre/Post Build Events" +references = [ + "https://docs.microsoft.com/en-us/visualstudio/ide/reference/pre-build-event-post-build-event-command-line-dialog-box?view=vs-2022", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html", + "https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Execution/execution_evasion_visual_studio_prebuild_event.evtx", +] risk_score = 21 rule_id = "fec7ccb7-6ed9-4f98-93ab-d6b366b063a0" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Rule Type: BBR", "Data Source: Elastic Defend"] -building_block_type = "default" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] type = "eql" query = ''' @@ -94,3 +100,4 @@ framework = "MITRE ATT&CK" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules_building_block/defense_evasion_file_permission_modification.toml b/rules_building_block/defense_evasion_file_permission_modification.toml index 11a0e1a76..f58bdff58 100644 --- a/rules_building_block/defense_evasion_file_permission_modification.toml +++ b/rules_building_block/defense_evasion_file_permission_modification.toml @@ -2,28 +2,33 @@ creation_date = "2023/07/12" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the change of permissions/ownership of files/folders through built-in Windows utilities. Threat actors may require permission modification of files/folders to change, modify or delete them. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.process-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "File and Directory Permissions Modification" risk_score = 21 rule_id = "bc9e4f5a-e263-4213-a2ac-1edf9b417ada" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -46,14 +51,15 @@ framework = "MITRE ATT&CK" id = "T1222" name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" - [[rule.threat.technique.subtechnique]] id = "T1222.001" name = "Windows File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/001/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_generic_deletion.toml b/rules_building_block/defense_evasion_generic_deletion.toml index 548a7d4d0..845c9e554 100644 --- a/rules_building_block/defense_evasion_generic_deletion.toml +++ b/rules_building_block/defense_evasion_generic_deletion.toml @@ -2,28 +2,33 @@ creation_date = "2023/07/13" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ This rule identifies the execution of commands that can be used to delete files and directories. Adversaries may delete files and directories on a host system, such as logs, browser history, or malware. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.process-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "File or Directory Deletion Command" risk_score = 21 rule_id = "5919988c-29e1-4908-83aa-1f087a838f63" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -47,7 +52,6 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" @@ -57,7 +61,10 @@ id = "T1070.004" name = "File Deletion" reference = "https://attack.mitre.org/techniques/T1070/004/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml b/rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml index 360c17149..1b0edce3e 100644 --- a/rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml +++ b/rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml @@ -2,27 +2,37 @@ creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = """ -Identifies indirect command execution via Program Compatibility Assistant (pcalua.exe) or forfiles.exe. -""" +building_block_type = "default" +description = "Identifies indirect command execution via Program Compatibility Assistant (pcalua.exe) or forfiles.exe.\n" from = "now-119m" +index = [ + "logs-endpoint.events.process-*", + "logs-system.security*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", +] interval = "60m" -index = ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Indirect Command Execution via Forfiles/Pcalua" risk_score = 21 rule_id = "98843d35-645e-4e66-9d6a-5049acd96ce1" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Rule Type: BBR", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -43,3 +53,4 @@ reference = "https://attack.mitre.org/techniques/T1202/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_injection_from_msoffice.toml b/rules_building_block/defense_evasion_injection_from_msoffice.toml index 92008c11f..6d1c96172 100644 --- a/rules_building_block/defense_evasion_injection_from_msoffice.toml +++ b/rules_building_block/defense_evasion_injection_from_msoffice.toml @@ -2,29 +2,36 @@ creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel) with unusual process arguments and path. This behavior is often observed during exploitation of Office applications or from documents with malicious macros. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.process-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Potential Process Injection from Malicious Document" risk_score = 21 rule_id = "1c5a04ae-d034-41bf-b0d8-96439b5cc774" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Tactic: Initial Access", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Privilege Escalation", + "Tactic: Initial Access", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -42,6 +49,7 @@ process where host.os.type == "windows" and event.action == "start" and "?:\\Windows\\System32\\notepad.exe") ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -49,12 +57,11 @@ id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -62,12 +69,11 @@ id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -79,7 +85,10 @@ id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules_building_block/defense_evasion_installutil_command_activity.toml b/rules_building_block/defense_evasion_installutil_command_activity.toml index cca9b3bca..18335f50a 100644 --- a/rules_building_block/defense_evasion_installutil_command_activity.toml +++ b/rules_building_block/defense_evasion_installutil_command_activity.toml @@ -2,29 +2,41 @@ creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. Adversaries may use InstallUtil to proxy the execution of code through a trusted Windows utility. """ from = "now-119m" +index = [ + "logs-endpoint.events.process-*", + "logs-system.security*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", +] interval = "60m" -index = ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "InstallUtil Activity" risk_score = 21 rule_id = "90babaa8-5216-4568-992d-d4a01a105d98" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Rule Type: BBR", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -50,3 +62,4 @@ reference = "https://attack.mitre.org/techniques/T1218/004/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_invalid_codesign_imageload.toml b/rules_building_block/defense_evasion_invalid_codesign_imageload.toml index 1ab179118..2017bffb2 100644 --- a/rules_building_block/defense_evasion_invalid_codesign_imageload.toml +++ b/rules_building_block/defense_evasion_invalid_codesign_imageload.toml @@ -2,28 +2,33 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies binaries that are loaded and with an invalid code signature. This may indicate an attempt to masquerade as a signed binary. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.library-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Image Loaded with Invalid Signature" risk_score = 21 rule_id = "fd9484f2-1c56-44ae-8b28-dc1354e3a0e8" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -36,20 +41,22 @@ library where host.os.type == "windows" and event.action == "load" and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_masquerading_browsers.toml b/rules_building_block/defense_evasion_masquerading_browsers.toml index 3f033afb3..05eab7af3 100644 --- a/rules_building_block/defense_evasion_masquerading_browsers.toml +++ b/rules_building_block/defense_evasion_masquerading_browsers.toml @@ -1,14 +1,13 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/08/02" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies suspicious instances of browser processes, such as unsigned or signed with unusual certificates, that can indicate an attempt to conceal malicious activity, bypass security features such as allowlists, or trick users into @@ -22,9 +21,16 @@ name = "Potential Masquerading as Browser Process" risk_score = 21 rule_id = "5b9eb30f-87d6-45f4-9289-2bf2024f0376" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -159,7 +165,6 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -171,11 +176,11 @@ name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -183,6 +188,7 @@ id = "T1554" name = "Compromise Client Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml b/rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml index 0e92d42ba..7df37c105 100644 --- a/rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml +++ b/rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml @@ -2,28 +2,33 @@ creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the creation or modification of an executable file with an unexpected file extension. Attackers may attempt to evade detection by masquerading files using the file extension values used by image, audio, or document file types. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.file-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Executable File with Unusual Extension" risk_score = 21 rule_id = "ecd4857b-5bac-455e-a7c9-a88b66e56a9e" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -59,7 +64,9 @@ name = "Masquerade File Type" reference = "https://attack.mitre.org/techniques/T1036/008/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_masquerading_vlc_dll.toml b/rules_building_block/defense_evasion_masquerading_vlc_dll.toml index 719e094cd..a27d78317 100644 --- a/rules_building_block/defense_evasion_masquerading_vlc_dll.toml +++ b/rules_building_block/defense_evasion_masquerading_vlc_dll.toml @@ -1,14 +1,13 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/08/09" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies instances of VLC-related DLLs which are not signed by the original developer. Attackers may name their payload as legitimate applications to blend into the environment, or embedding its malicious code within legitimate @@ -22,9 +21,16 @@ name = "Potential Masquerading as VLC DLL" risk_score = 21 rule_id = "4494c14f-5ff8-4ed2-8e99-bf816a1642fc" severity = "low" -tags = ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "Data Source: Elastic Defend", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Rule Type: BBR", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -43,7 +49,6 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -55,12 +60,11 @@ name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -68,6 +72,7 @@ id = "T1554" name = "Compromise Client Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules_building_block/defense_evasion_masquerading_windows_dll.toml b/rules_building_block/defense_evasion_masquerading_windows_dll.toml index 3cd09f3fd..41bd9f17d 100644 --- a/rules_building_block/defense_evasion_masquerading_windows_dll.toml +++ b/rules_building_block/defense_evasion_masquerading_windows_dll.toml @@ -1,14 +1,13 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/08/18" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: dll.Ext.relative_file_creation_time is populated in Elastic Endpoint 8.4 and above." -min_stack_version = "8.4.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies suspicious instances of default system32 DLLs either unsigned or signed with non-MS certificates. This can potentially indicate the attempt to masquerade as system DLLs, perform DLL Search Order Hijacking or backdoor and resign @@ -22,9 +21,16 @@ name = "Potential Masquerading as System32 DLL" risk_score = 21 rule_id = "fb01d790-9f74-4e76-97dd-b4b0f7bf6435" severity = "low" -tags = ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "Data Source: Elastic Defend", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Rule Type: BBR", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -106,7 +112,6 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -117,11 +122,11 @@ id = "T1036.005" name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique.subtechnique]] id = "T1574.001" name = "DLL Search Order Hijacking" @@ -133,12 +138,11 @@ name = "DLL Side-Loading" reference = "https://attack.mitre.org/techniques/T1574/002/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -146,6 +150,7 @@ id = "T1554" name = "Compromise Client Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml b/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml index 803b5fea6..bed9eb796 100644 --- a/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml +++ b/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml @@ -1,14 +1,13 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/08/20" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies suspicious instances of default system32 executables, either unsigned or signed with non-MS certificates. This could indicate the attempt to masquerade as system executables or backdoored and resigned legitimate executables. @@ -21,9 +20,16 @@ name = "Potential Masquerading as System32 Executable" risk_score = 21 rule_id = "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47" severity = "low" -tags = ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "Data Source: Elastic Defend", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Rule Type: BBR", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -80,7 +86,6 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -91,12 +96,12 @@ id = "T1036.005" name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -104,6 +109,7 @@ id = "T1554" name = "Compromise Client Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml b/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml index 870180263..a29c08022 100644 --- a/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml +++ b/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml @@ -2,31 +2,41 @@ creation_date = "2023/09/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ -Identifies the execution of the Microsoft Diagnostic Wizard to open a diagcab file from a suspicious path and with an unusual -parent process. This may indicate an attempt to execute malicious Troubleshooting Pack Cabinet files. +Identifies the execution of the Microsoft Diagnostic Wizard to open a diagcab file from a suspicious path and with an +unusual parent process. This may indicate an attempt to execute malicious Troubleshooting Pack Cabinet files. """ -references = [ - "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd" -] from = "now-119m" +index = [ + "logs-endpoint.events.process-*", + "logs-system.security*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", +] interval = "60m" -index = ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Troubleshooting Pack Cabinet Execution" +references = ["https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd"] risk_score = 21 rule_id = "808291d3-e918-4a3a-86cd-73052a0c9bdc" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -48,13 +58,14 @@ process where host.os.type == "windows" and event.action == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" - [[rule.threat.technique]] - name = "System Binary Proxy Execution" - id = "T1218" - reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml b/rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml index 8ee273efc..1a910a7c3 100644 --- a/rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml +++ b/rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml @@ -2,30 +2,33 @@ creation_date = "2023/09/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/09/26" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the execution of an installer from an archive or with suspicious properties. Adversaries may abuse msiexec.exe to launch local or network accessible MSI files in an attempt to bypass application whitelisting. """ -references = [ - "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/" -] from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Windows Installer with Suspicious Properties" +references = ["https://lolbas-project.github.io/lolbas/Binaries/Msiexec/"] risk_score = 21 rule_id = "55f07d1b-25bc-4a0f-aa0c-05323c1319d0" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] -building_block_type = "default" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] type = "eql" query = ''' @@ -63,3 +66,4 @@ reference = "https://attack.mitre.org/techniques/T1218/007/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_processes_with_trailing_spaces.toml b/rules_building_block/defense_evasion_processes_with_trailing_spaces.toml index e0133519d..c5e63bbb8 100644 --- a/rules_building_block/defense_evasion_processes_with_trailing_spaces.toml +++ b/rules_building_block/defense_evasion_processes_with_trailing_spaces.toml @@ -2,20 +2,18 @@ creation_date = "2023/08/24" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" description = """ -Identify instances where adversaries include trailing space characters to mimic regular files, disguising their -activity to evade default file handling mechanisms. +Identify instances where adversaries include trailing space characters to mimic regular files, disguising their activity +to evade default file handling mechanisms. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Processes with Trailing Spaces" @@ -23,37 +21,40 @@ risk_score = 21 rule_id = "0c093569-dff9-42b6-87b1-0242d9f7d9b4" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name : "* " ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.006" name = "Space after Filename" reference = "https://attack.mitre.org/techniques/T1036/006/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_service_disabled_registry.toml b/rules_building_block/defense_evasion_service_disabled_registry.toml index f822fdc3a..c1f1d49da 100644 --- a/rules_building_block/defense_evasion_service_disabled_registry.toml +++ b/rules_building_block/defense_evasion_service_disabled_registry.toml @@ -2,19 +2,18 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies attempts to modify services start settings using processes other than services.exe. Attackers may attempt to modify security and monitoring services to avoid detection or delay response. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.registry-*", "endgame-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Service Disabled via Registry Modification" @@ -28,10 +27,9 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Rule Type: BBR" + "Rule Type: BBR", ] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -60,7 +58,6 @@ reference = "https://attack.mitre.org/techniques/T1112/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -73,3 +70,4 @@ reference = "https://attack.mitre.org/techniques/T1489/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules_building_block/defense_evasion_service_path_registry.toml b/rules_building_block/defense_evasion_service_path_registry.toml index 3dbc25b09..7dbda2f6f 100644 --- a/rules_building_block/defense_evasion_service_path_registry.toml +++ b/rules_building_block/defense_evasion_service_path_registry.toml @@ -2,19 +2,18 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies attempts to modify a service path by an unusual process. Attackers may attempt to modify existing services for persistence or privilege escalation. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.registry-*", "endgame-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Service Path Modification" @@ -28,10 +27,9 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Rule Type: BBR" + "Rule Type: BBR", ] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -62,29 +60,25 @@ reference = "https://attack.mitre.org/techniques/T1112/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" - [[rule.threat.technique.subtechnique]] - id = "T1543.003" - name = "Windows Service" - reference = "https://attack.mitre.org/techniques/T1543/003/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -100,3 +94,4 @@ reference = "https://attack.mitre.org/techniques/T1543/003/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules_building_block/defense_evasion_services_exe_path.toml b/rules_building_block/defense_evasion_services_exe_path.toml index c26ac369c..2cb09abc8 100644 --- a/rules_building_block/defense_evasion_services_exe_path.toml +++ b/rules_building_block/defense_evasion_services_exe_path.toml @@ -2,19 +2,18 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies attempts to modify a service path setting using sc.exe. Attackers may attempt to modify existing services for persistence or privilege escalation. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.process-*", "endgame-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Service Path Modification via sc.exe" @@ -28,10 +27,9 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Rule Type: BBR" + "Rule Type: BBR", ] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -52,29 +50,25 @@ reference = "https://attack.mitre.org/techniques/T1112/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" - [[rule.threat.technique.subtechnique]] - id = "T1543.003" - name = "Windows Service" - reference = "https://attack.mitre.org/techniques/T1543/003/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -90,3 +84,4 @@ reference = "https://attack.mitre.org/techniques/T1543/003/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules_building_block/defense_evasion_suspicious_msiexec_execution.toml b/rules_building_block/defense_evasion_suspicious_msiexec_execution.toml index 6625b9806..c5f71c75d 100644 --- a/rules_building_block/defense_evasion_suspicious_msiexec_execution.toml +++ b/rules_building_block/defense_evasion_suspicious_msiexec_execution.toml @@ -2,32 +2,38 @@ creation_date = "2023/09/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies suspicious execution of the built-in Windows Installer, msiexec.exe, to install a package from usual paths or parent process. Adversaries may abuse msiexec.exe to launch malicious local MSI files. """ -references = [ - "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/", - "https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/" -] from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Suspicious Execution via MSIEXEC" +references = [ + "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/", + "https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/", +] risk_score = 21 rule_id = "708c9d92-22a3-4fe0-b6b9-1f861c55502d" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -79,3 +85,4 @@ reference = "https://attack.mitre.org/techniques/T1218/007/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_unsigned_bits_client.toml b/rules_building_block/defense_evasion_unsigned_bits_client.toml index 36adfe503..84012c3b2 100644 --- a/rules_building_block/defense_evasion_unsigned_bits_client.toml +++ b/rules_building_block/defense_evasion_unsigned_bits_client.toml @@ -2,32 +2,37 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies an unsigned Windows Background Intelligent Transfer Service (BITS) client process. Attackers may abuse BITS functionality to download or upload data using the BITS service. """ -references = [ - "https://web.archive.org/web/20230531215706/https://blog.menasec.net/2021/05/hunting-for-suspicious-usage-of.html", - "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2" -] from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.library-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Unsigned BITS Service Client Process" +references = [ + "https://web.archive.org/web/20230531215706/https://blog.menasec.net/2021/05/hunting-for-suspicious-usage-of.html", + "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2", +] risk_score = 21 rule_id = "9a3884d0-282d-45ea-86ce-b9c81100f026" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -39,23 +44,24 @@ not process.code_signature.status : ("errorExpired", "errorCode_endpoint*") [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1197" -name = "BITS Jobs" -reference = "https://attack.mitre.org/techniques/T1197/" - [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" +[[rule.threat.technique]] +id = "T1197" +name = "BITS Jobs" +reference = "https://attack.mitre.org/techniques/T1197/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_unusual_process_extension.toml b/rules_building_block/defense_evasion_unusual_process_extension.toml index 695bf5aea..62072e9e4 100644 --- a/rules_building_block/defense_evasion_unusual_process_extension.toml +++ b/rules_building_block/defense_evasion_unusual_process_extension.toml @@ -2,28 +2,31 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = """ -Identifies processes running with unusual extensions that are not typically valid for Windows executables. -""" +building_block_type = "default" +description = "Identifies processes running with unusual extensions that are not typically valid for Windows executables.\n" from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.process-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Unusual Process Extension" risk_score = 21 rule_id = "800e01be-a7a4-46d0-8de9-69f3c9582b44" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" -building_block_type = "default" query = ''' process where host.os.type == "windows" and event.type == "start" and @@ -57,19 +60,22 @@ process where host.os.type == "windows" and event.type == "start" and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.008" name = "Masquerade File Type" reference = "https://attack.mitre.org/techniques/T1036/008/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_unusual_process_path_wbem.toml b/rules_building_block/defense_evasion_unusual_process_path_wbem.toml index 2337423bd..b65efa354 100644 --- a/rules_building_block/defense_evasion_unusual_process_path_wbem.toml +++ b/rules_building_block/defense_evasion_unusual_process_path_wbem.toml @@ -2,28 +2,38 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = """ -Identifies unusual processes running from the WBEM path, uncommon outside WMI-related Windows processes. -""" +building_block_type = "default" +description = "Identifies unusual processes running from the WBEM path, uncommon outside WMI-related Windows processes.\n" from = "now-119m" +index = [ + "logs-endpoint.events.process-*", + "logs-system.security*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", +] interval = "60m" -index = ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Unusual Process Execution on WBEM Path" risk_score = 21 rule_id = "1f460f12-a3cf-4105-9ebb-f788cc63f365" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Rule Type: BBR", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" -building_block_type = "default" query = ''' process where host.os.type == "windows" and event.type == "start" and @@ -41,6 +51,7 @@ process where host.os.type == "windows" and event.type == "start" and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -48,7 +59,9 @@ id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_write_dac_access.toml b/rules_building_block/defense_evasion_write_dac_access.toml index ddd47f1ea..09e5dd121 100644 --- a/rules_building_block/defense_evasion_write_dac_access.toml +++ b/rules_building_block/defense_evasion_write_dac_access.toml @@ -2,12 +2,11 @@ creation_date = "2023/08/15" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the access on an object with WRITEDAC permissions. With the WRITEDAC permission, the user can perform a Write Discretionary Access Control List (WriteDACL) operation, which is used to modify the access control rules associated @@ -16,11 +15,16 @@ compromised accounts additional rights, ultimately compromising the target objec lateral movement, and persistence. """ from = "now-119m" -interval = "60m" index = ["winlogbeat-*", "logs-system.security*", "logs-windows.*"] +interval = "60m" language = "kuery" license = "Elastic License v2" name = "WRITEDAC Access on Active Directory Object" +references = [ + "https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors.pdf", +] +risk_score = 21 +rule_id = "f5861570-e39a-4b8a-9259-abd39f84cb97" setup = """## Setup The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure). @@ -37,35 +41,38 @@ DS Access > Audit Directory Service Access (Success,Failure) ``` """ -references = [ - "https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors.pdf" -] -risk_score = 21 -rule_id = "f5861570-e39a-4b8a-9259-abd39f84cb97" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Active Directory", + "Use Case: Active Directory Monitoring", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "query" -building_block_type = "default" query = ''' host.os.type: "windows" and event.action : ("Directory Service Access" or "object-operation-performed") and event.code : "4662" and winlog.event_data.AccessMask:"0x40000" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1222" -reference = "https://attack.mitre.org/techniques/T1222/" name = "File and Directory Permissions Modification" - +reference = "https://attack.mitre.org/techniques/T1222/" [[rule.threat.technique.subtechnique]] id = "T1222.001" name = "Windows File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml b/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml index 305f6b593..ff88b1d33 100644 --- a/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml +++ b/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml @@ -1,17 +1,15 @@ [metadata] +bypass_bbr_timing = true creation_date = "2022/11/01" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" description = """ -Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows +Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows Command Shell. """ from = "now-9m" @@ -57,15 +55,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Rule Type: BBR" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" @@ -75,9 +74,9 @@ process where host.os.type == "windows" and event.type == "start" and not process.parent.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\PROGRA~1\\*") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" @@ -88,25 +87,26 @@ id = "T1083" name = "File and Directory Discovery" reference = "https://attack.mitre.org/techniques/T1083/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules_building_block/discovery_generic_account_groups.toml b/rules_building_block/discovery_generic_account_groups.toml index 2b0ab58fa..eb8dadcd5 100644 --- a/rules_building_block/discovery_generic_account_groups.toml +++ b/rules_building_block/discovery_generic_account_groups.toml @@ -1,11 +1,9 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/07/13" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -22,13 +20,14 @@ name = "Windows Account or Group Discovery" risk_score = 21 rule_id = "089db1af-740d-4d84-9a5b-babd6de143b0" severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -62,14 +61,13 @@ process where host.os.type == "windows" and event.type == "start" and and not process.parent.name : "LTSVC.exe" and not user.id : "S-1-5-18" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" - [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" @@ -80,16 +78,11 @@ id = "T1069.002" name = "Domain Groups" reference = "https://attack.mitre.org/techniques/T1069/002/" -[[rule.threat.technique]] -id = "T1201" -name = "Password Policy Discovery" -reference = "https://attack.mitre.org/techniques/T1201/" [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" - [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" @@ -100,7 +93,15 @@ id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" + +[[rule.threat.technique]] +id = "T1201" +name = "Password Policy Discovery" +reference = "https://attack.mitre.org/techniques/T1201/" + + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_generic_process_discovery.toml b/rules_building_block/discovery_generic_process_discovery.toml index d56783275..bafbf1c86 100644 --- a/rules_building_block/discovery_generic_process_discovery.toml +++ b/rules_building_block/discovery_generic_process_discovery.toml @@ -1,11 +1,9 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/07/13" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -15,21 +13,28 @@ This rule identifies the execution of commands that can be used to enumerate run enumerate processes to identify installed applications and security solutions. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"] +index = [ + "logs-endpoint.events.process-*", + "logs-system.security*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", +] language = "eql" license = "Elastic License v2" name = "Process Discovery Using Built-in Tools" risk_score = 21 rule_id = "4982ac3e-d0ee-4818-b95d-d9522d689259" severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" @@ -44,15 +49,17 @@ process where host.os.type == "windows" and event.type == "start" and ) and not user.id : "S-1-5-18" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_generic_registry_query.toml b/rules_building_block/discovery_generic_registry_query.toml index d645ef76a..cfe2edba2 100644 --- a/rules_building_block/discovery_generic_registry_query.toml +++ b/rules_building_block/discovery_generic_registry_query.toml @@ -1,11 +1,9 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/07/13" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -23,13 +21,14 @@ name = "Query Registry using Built-in Tools" risk_score = 21 rule_id = "ded09d02-0137-4ccc-8005-c45e617e8d4c" severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" @@ -54,14 +53,15 @@ host.os.type:windows and event.category:process and event.type:start and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1012" name = "Query Registry" reference = "https://attack.mitre.org/techniques/T1012/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -70,7 +70,8 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.id"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" + + diff --git a/rules_building_block/discovery_hosts_file_access.toml b/rules_building_block/discovery_hosts_file_access.toml index 74bee0709..8a3177bf2 100644 --- a/rules_building_block/discovery_hosts_file_access.toml +++ b/rules_building_block/discovery_hosts_file_access.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,8 +12,8 @@ Identifies the use of built-in tools to read the contents of \\etc\\hosts on a l to discover remote machines in an environment that may be used for Lateral Movement from the current system. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "System Hosts File Access" @@ -23,32 +21,35 @@ risk_score = 21 rule_id = "f75f65cf-ed04-48df-a7ff-b02a8bfe636e" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name in ("vi", "nano", "cat", "more", "less") and process.args == "/etc/hosts" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_internet_capabilities.toml b/rules_building_block/discovery_internet_capabilities.toml index e518e8a81..2ae9e761e 100644 --- a/rules_building_block/discovery_internet_capabilities.toml +++ b/rules_building_block/discovery_internet_capabilities.toml @@ -1,11 +1,9 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/07/12" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/01/11" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -23,13 +21,14 @@ name = "Discovery of Internet Capabilities via Built-in Tools" risk_score = 21 rule_id = "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db" severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" @@ -39,19 +38,20 @@ process.name.caseless:("ping.exe" or "tracert.exe" or "pathping.exe") and not process.args:("127.0.0.1" or "0.0.0.0" or "localhost" or "::1") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" reference = "https://attack.mitre.org/techniques/T1016/" - [[rule.threat.technique.subtechnique]] id = "T1016.001" name = "Internet Connection Discovery" reference = "https://attack.mitre.org/techniques/T1016/001/" + + [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -60,7 +60,8 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.id", "process.command_line"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml b/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml index d351ec77f..00a0f082b 100644 --- a/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml +++ b/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml @@ -2,17 +2,16 @@ creation_date = "2020/04/12" integration = ["auditd_manager"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/02/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate -information about a kernel module using the /proc/modules filesystem. This filesystem is used by utilities such as -lsmod and kmod to list the available kernel modules. +information about a kernel module using the /proc/modules filesystem. This filesystem is used by utilities such as lsmod +and kmod to list the available kernel modules. """ false_positives = [ """ @@ -21,8 +20,8 @@ false_positives = [ """, ] from = "now-119m" -interval = "60m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] +interval = "60m" language = "kuery" license = "Elastic License v2" name = "Enumeration of Kernel Modules via Proc" @@ -47,28 +46,29 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen """ severity = "low" tags = [ - "Data Source: Auditd Manager", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR" - ] + "Data Source: Auditd Manager", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "new_terms" -building_block_type = "default" + query = ''' host.os.type:linux and event.category:file and event.action:"opened-file" and file.path:"/proc/modules" and not process.name:(grep or python* or chef-client) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -77,7 +77,8 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" + + diff --git a/rules_building_block/discovery_linux_modprobe_enumeration.toml b/rules_building_block/discovery_linux_modprobe_enumeration.toml index e58678343..05b04fa4b 100644 --- a/rules_building_block/discovery_linux_modprobe_enumeration.toml +++ b/rules_building_block/discovery_linux_modprobe_enumeration.toml @@ -2,21 +2,20 @@ creation_date = "2023/06/08" integration = ["auditd_manager"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/02/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ -Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or +Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized -kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the +kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the system. """ from = "now-119m" -interval = "60m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] +interval = "60m" language = "kuery" license = "Elastic License v2" name = "Suspicious Modprobe File Event" @@ -46,15 +45,15 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen """ severity = "low" tags = [ - "Data Source: Auditd Manager", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR" - ] + "Data Source: Auditd Manager", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "new_terms" -building_block_type = "default" + query = ''' host.os.type:linux and event.category:file and event.action:"opened-file" and file.path : ("/etc/modprobe.conf" or "/etc/modprobe.d" or /etc/modprobe.d/*) and not process.name:( @@ -63,14 +62,15 @@ file.path : ("/etc/modprobe.conf" or "/etc/modprobe.d" or /etc/modprobe.d/*) and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -79,7 +79,8 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules_building_block/discovery_linux_sysctl_enumeration.toml b/rules_building_block/discovery_linux_sysctl_enumeration.toml index e02b8d697..f01834a99 100644 --- a/rules_building_block/discovery_linux_sysctl_enumeration.toml +++ b/rules_building_block/discovery_linux_sysctl_enumeration.toml @@ -2,20 +2,19 @@ creation_date = "2023/06/08" integration = ["auditd_manager"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/02/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ -Monitors file events on sysctl configuration files (e.g., /etc/sysctl.conf, /etc/sysctl.d/*.conf) to identify potential -unauthorized access or manipulation of system-level configuration settings. Attackers may tamper with the sysctl +Monitors file events on sysctl configuration files (e.g., /etc/sysctl.conf, /etc/sysctl.d/*.conf) to identify potential +unauthorized access or manipulation of system-level configuration settings. Attackers may tamper with the sysctl configuration files to modify kernel parameters, potentially compromising system stability, performance, or security. """ from = "now-119m" -interval = "60m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] +interval = "60m" language = "kuery" license = "Elastic License v2" name = "Suspicious Sysctl File Event" @@ -46,15 +45,15 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen """ severity = "low" tags = [ - "Data Source: Auditd Manager", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR" - ] + "Data Source: Auditd Manager", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "new_terms" -building_block_type = "default" + query = ''' host.os.type:linux and event.category:file and event.action:("opened-file" or "read-file" or "wrote-to-file") and file.path : ("/etc/sysctl.conf" or "/etc/sysctl.d" or /etc/sysctl.d/*) and not process.name:( @@ -62,14 +61,15 @@ file.path : ("/etc/sysctl.conf" or "/etc/sysctl.d" or /etc/sysctl.d/*) and not p ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -78,7 +78,8 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules_building_block/discovery_linux_system_information_discovery.toml b/rules_building_block/discovery_linux_system_information_discovery.toml index af04ae90d..431c60f43 100644 --- a/rules_building_block/discovery_linux_system_information_discovery.toml +++ b/rules_building_block/discovery_linux_system_information_discovery.toml @@ -2,17 +2,15 @@ creation_date = "2023/07/10" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" description = "Enrich process events with uname and other command lines that imply Linux system information discovery." from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Linux System Information Discovery" @@ -20,17 +18,18 @@ risk_score = 21 rule_id = "b81bd314-db5b-4d97-82e8-88e3e5fc9de5" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( process.name: "uname" or ( @@ -39,15 +38,17 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_linux_system_owner_user_discovery.toml b/rules_building_block/discovery_linux_system_owner_user_discovery.toml index 461660560..2e2c8d3de 100644 --- a/rules_building_block/discovery_linux_system_owner_user_discovery.toml +++ b/rules_building_block/discovery_linux_system_owner_user_discovery.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/10" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,8 +12,8 @@ Identifies the use of built-in tools which adversaries may use to enumerate the system. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "System Owner/User Discovery Linux" @@ -23,25 +21,26 @@ risk_score = 21 rule_id = "bf8c007c-7dee-4842-8e9a-ee534c09d205" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name : ("whoami", "w", "who", "users", "id") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1033" name = "System Owner/User Discovery" @@ -52,7 +51,9 @@ id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_net_share_discovery_winlog.toml b/rules_building_block/discovery_net_share_discovery_winlog.toml index 1a9085fe9..dff948bf5 100644 --- a/rules_building_block/discovery_net_share_discovery_winlog.toml +++ b/rules_building_block/discovery_net_share_discovery_winlog.toml @@ -2,28 +2,33 @@ creation_date = "2023/07/14" integration = ["windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Adversaries may look for folders and drives shared on remote systems to identify sources of information to gather as a precursor for collection and identify potential systems of interest for Lateral Movement. """ from = "now-119m" -interval = "60m" index = ["winlogbeat-*", "logs-windows.*", "logs-system.security*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Potential Network Share Discovery" risk_score = 21 rule_id = "b2318c71-5959-469a-a3ce-3a0768e63b9c" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Collection", + "Rule Type: BBR", +] type = "eql" -building_block_type = "default" query = ''' sequence by user.name, source.port, source.ip with maxspan=15s @@ -35,6 +40,7 @@ sequence by user.name, source.port, source.ip with maxspan=15s source.ip != null and source.ip != "0.0.0.0" and source.ip != "::1" and source.ip != "::" and source.ip != "127.0.0.1"] ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -42,19 +48,19 @@ id = "T1135" name = "Network Share Discovery" reference = "https://attack.mitre.org/techniques/T1135/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1039" name = "Data from Network Shared Drive" reference = "https://attack.mitre.org/techniques/T1039/" + [rule.threat.tactic] id = "TA0009" name = "Collection" diff --git a/rules_building_block/discovery_net_view.toml b/rules_building_block/discovery_net_view.toml index c07a15596..10e11ec99 100644 --- a/rules_building_block/discovery_net_view.toml +++ b/rules_building_block/discovery_net_view.toml @@ -1,11 +1,9 @@ [metadata] +bypass_bbr_timing = true creation_date = "2020/12/04" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -55,16 +53,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Collection", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Rule Type: BBR" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Collection", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" @@ -86,9 +85,9 @@ process where host.os.type == "windows" and event.type == "start" and */ ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" @@ -99,20 +98,19 @@ id = "T1135" name = "Network Share Discovery" reference = "https://attack.mitre.org/techniques/T1135/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1039" name = "Data from Network Shared Drive" reference = "https://attack.mitre.org/techniques/T1039/" + [rule.threat.tactic] id = "TA0009" name = "Collection" diff --git a/rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml b/rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml index eb07c9ed3..534e6b19c 100644 --- a/rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml +++ b/rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml @@ -2,19 +2,15 @@ creation_date = "2023/07/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" -description = """ -Adversaries may use built-in applications to get a listing of local system or domain accounts and groups. -""" +description = "Adversaries may use built-in applications to get a listing of local system or domain accounts and groups.\n" from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Account or Group Discovery via Built-In Tools" @@ -22,18 +18,19 @@ risk_score = 21 rule_id = "f638a66d-3bbf-46b1-a52c-ef6f39fb6caf" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( (process.name in ("groups", "id")) or @@ -44,14 +41,13 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" - [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" @@ -62,11 +58,11 @@ id = "T1069.002" name = "Domain Groups" reference = "https://attack.mitre.org/techniques/T1069/002/" + [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" - [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" @@ -77,7 +73,10 @@ id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" + + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_of_domain_groups.toml b/rules_building_block/discovery_of_domain_groups.toml index fc2e465b2..6a1122dd0 100644 --- a/rules_building_block/discovery_of_domain_groups.toml +++ b/rules_building_block/discovery_of_domain_groups.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,8 +12,8 @@ Identifies the execution of Linux built-in commands related to account or group and group information to orient themselves before deciding how to act. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Discovery of Domain Groups" @@ -23,17 +21,18 @@ risk_score = 21 rule_id = "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( @@ -41,15 +40,17 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_posh_password_policy.toml b/rules_building_block/discovery_posh_password_policy.toml index ff9a476a5..717f91f01 100644 --- a/rules_building_block/discovery_posh_password_policy.toml +++ b/rules_building_block/discovery_posh_password_policy.toml @@ -2,19 +2,18 @@ creation_date = "2023/07/12" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools. """ from = "now-119m" -interval = "60m" index = ["winlogbeat-*", "logs-windows.powershell*"] +interval = "60m" language = "kuery" license = "Elastic License v2" name = "PowerShell Script with Password Policy Discovery Capabilities" @@ -39,10 +38,17 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Execution", "Data Source: PowerShell Logs", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Execution", + "Data Source: PowerShell Logs", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "query" -building_block_type = "default" query = ''' event.category: "process" and host.os.type:windows and @@ -92,12 +98,11 @@ id = "T1201" name = "Password Policy Discovery" reference = "https://attack.mitre.org/techniques/T1201/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules_building_block/discovery_post_exploitation_external_ip_lookup.toml b/rules_building_block/discovery_post_exploitation_external_ip_lookup.toml index e43887f64..ca94235fe 100644 --- a/rules_building_block/discovery_post_exploitation_external_ip_lookup.toml +++ b/rules_building_block/discovery_post_exploitation_external_ip_lookup.toml @@ -1,11 +1,9 @@ [metadata] +bypass_bbr_timing = true creation_date = "2020/09/04" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -64,14 +62,15 @@ references = [ risk_score = 21 rule_id = "1d72d014-e2ab-4707-b056-9b96abe7b511" severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Rule Type: BBR" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" @@ -131,25 +130,27 @@ network where host.os.type == "windows" and network.protocol == "dns" and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" reference = "https://attack.mitre.org/techniques/T1016/" - [[rule.threat.technique.subtechnique]] id = "T1016.001" name = "Internet Connection Discovery" reference = "https://attack.mitre.org/techniques/T1016/001/" + [[rule.threat.technique]] id = "T1614" name = "System Location Discovery" reference = "https://attack.mitre.org/techniques/T1614/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_potential_memory_seeking_activity.toml b/rules_building_block/discovery_potential_memory_seeking_activity.toml index d6dc62b89..8b6be1ce1 100644 --- a/rules_building_block/discovery_potential_memory_seeking_activity.toml +++ b/rules_building_block/discovery_potential_memory_seeking_activity.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2024/02/01" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -24,16 +22,17 @@ risk_score = 21 rule_id = "035a6f21-4092-471d-9cda-9e379f459b1e" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( (process.name == "tail" and process.args == "-c") or @@ -43,15 +42,17 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_process_discovery_via_builtin_tools.toml b/rules_building_block/discovery_process_discovery_via_builtin_tools.toml index 8b3047008..d38263710 100644 --- a/rules_building_block/discovery_process_discovery_via_builtin_tools.toml +++ b/rules_building_block/discovery_process_discovery_via_builtin_tools.toml @@ -2,17 +2,15 @@ creation_date = "2023/07/11" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" description = "Identifies the use of built-in tools attackers can use to discover running processes on an endpoint." from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.*", "endgame-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Process Discovery via Built-In Applications" @@ -20,17 +18,18 @@ risk_score = 21 rule_id = "3f4d7734-2151-4481-b394-09d7c6c91f75" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where event.type == "start" and event.action in ("exec", "exec_event") and process.name in ( "ps", "pstree", "htop", "pgrep" @@ -38,9 +37,9 @@ process where event.type == "start" and event.action in ("exec", "exec_event") a not process.parent.name in ("amazon-ssm-agent", "snap") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1057" name = "Process Discovery" @@ -50,13 +49,15 @@ reference = "https://attack.mitre.org/techniques/T1057/" id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" - [[rule.threat.technique.subtechnique]] id = "T1518.001" name = "Security Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/001/" + + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_remote_system_discovery_commands_windows.toml b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml index 4fbf67ecc..b7e1e6414 100644 --- a/rules_building_block/discovery_remote_system_discovery_commands_windows.toml +++ b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml @@ -1,11 +1,9 @@ [metadata] +bypass_bbr_timing = true creation_date = "2020/12/04" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -55,15 +53,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Rule Type: BBR" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" @@ -91,9 +90,9 @@ process where host.os.type == "windows" and event.type == "start" and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" @@ -104,7 +103,9 @@ id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_security_software_wmic.toml b/rules_building_block/discovery_security_software_wmic.toml index 7811c935f..42a76b8cd 100644 --- a/rules_building_block/discovery_security_software_wmic.toml +++ b/rules_building_block/discovery_security_software_wmic.toml @@ -1,20 +1,25 @@ [metadata] +bypass_bbr_timing = true creation_date = "2020/10/19" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the use of Windows Management Instrumentation Command (WMIC) to discover certain System Security Settings such as AntiVirus or Host Firewall details. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Security Software Discovery using WMIC" @@ -57,17 +62,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Rule Type: BBR" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -76,32 +81,32 @@ process where host.os.type == "windows" and event.type == "start" and process.args : "/namespace:\\\\root\\SecurityCenter2" and process.args : "Get" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" - [[rule.threat.technique.subtechnique]] id = "T1518.001" name = "Security Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/001/" + + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules_building_block/discovery_signal_unusual_user_host.toml b/rules_building_block/discovery_signal_unusual_user_host.toml index 5c46f3400..6697231b3 100644 --- a/rules_building_block/discovery_signal_unusual_user_host.toml +++ b/rules_building_block/discovery_signal_unusual_user_host.toml @@ -1,10 +1,8 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/10/10" maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2023/10/10" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -21,14 +19,16 @@ name = "Unusual Discovery Activity by User" risk_score = 21 rule_id = "cf575427-0839-4c69-a9e6-99fde02606f3" severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: Higher-Order Rule" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: Higher-Order Rule", +] timestamp_override = "event.ingested" type = "new_terms" + query = ''' host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:( "d68e95ad-1c82-4074-a12a-125fe10ac8ba" or "7b8bfc26-81d2-435e-965c-d722ee397ef1" or @@ -39,6 +39,7 @@ host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" @@ -50,7 +51,8 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.id"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules_building_block/discovery_suspicious_memory_grep_activity.toml b/rules_building_block/discovery_suspicious_memory_grep_activity.toml index 238e3a740..e5e09b922 100644 --- a/rules_building_block/discovery_suspicious_memory_grep_activity.toml +++ b/rules_building_block/discovery_suspicious_memory_grep_activity.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2024/02/05" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,7 @@ building_block_type = "default" description = """ Monitors for grep activity related to memory mapping. The /proc/*/maps file in Linux provides a memory map for a specific process, detailing the memory segments, permissions, and what files are mapped to these segments. Attackers may -read a process's memory map to identify memory addresses for code injection or process hijacking. +read a process's memory map to identify memory addresses for code injection or process hijacking. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -25,30 +23,33 @@ risk_score = 21 rule_id = "d74d6506-427a-4790-b170-0c2a6ddac799" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name in ("grep", "egrep", "fgrep", "rgrep") and process.args in ("[stack]", "[vdso]", "[heap]") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_suspicious_proc_enumeration.toml b/rules_building_block/discovery_suspicious_proc_enumeration.toml index 58422eaad..5416dfa0a 100644 --- a/rules_building_block/discovery_suspicious_proc_enumeration.toml +++ b/rules_building_block/discovery_suspicious_proc_enumeration.toml @@ -2,20 +2,19 @@ creation_date = "2023/06/09" integration = ["auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/19" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ -This rule monitors for a rapid enumeration of 25 different proc cmd, stat, and exe files, which suggests an abnormal -activity pattern. Such behavior could be an indicator of a malicious process scanning or gathering information about -running processes, potentially for reconnaissance, privilege escalation, or identifying vulnerable targets. +This rule monitors for a rapid enumeration of 25 different proc cmd, stat, and exe files, which suggests an abnormal +activity pattern. Such behavior could be an indicator of a malicious process scanning or gathering information about +running processes, potentially for reconnaissance, privilege escalation, or identifying vulnerable targets. """ from = "now-119m" -interval = "60m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] +interval = "60m" language = "kuery" license = "Elastic License v2" name = "Suspicious Proc Pseudo File System Enumeration" @@ -47,12 +46,12 @@ tags = [ "Data Source: Auditd Manager", "OS: Linux", "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR" - ] + "Tactic: Discovery", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "threshold" -building_block_type = "default" + query = ''' host.os.type:linux and event.category:file and event.action:"opened-file" and file.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.name : ( @@ -60,9 +59,9 @@ file.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.nam ) and not process.parent.pid : 1 ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1057" name = "Process Discovery" @@ -73,6 +72,7 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -81,7 +81,8 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.threshold] field = ["host.id", "process.pid", "process.name"] value = 1 - [[rule.threshold.cardinality]] field = "file.path" value = 100 + + diff --git a/rules_building_block/discovery_system_network_connections.toml b/rules_building_block/discovery_system_network_connections.toml index 8445acfed..146fae92b 100644 --- a/rules_building_block/discovery_system_network_connections.toml +++ b/rules_building_block/discovery_system_network_connections.toml @@ -2,17 +2,15 @@ creation_date = "2023/07/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" description = "Adversaries may attempt to get a listing of network connections to or from a compromised system." from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "System Network Connections Discovery" @@ -20,32 +18,35 @@ risk_score = 21 rule_id = "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name in ("netstat", "lsof", "who", "w") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1049" name = "System Network Connections Discovery" reference = "https://attack.mitre.org/techniques/T1049/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_system_service_discovery.toml b/rules_building_block/discovery_system_service_discovery.toml index e558d25c5..284105bfc 100644 --- a/rules_building_block/discovery_system_service_discovery.toml +++ b/rules_building_block/discovery_system_service_discovery.toml @@ -1,35 +1,41 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/01/24" integration = ["windows", "endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" description = """ -Detects the usage of commonly used system service discovery techniques, which attackers may use during the reconnaissance phase -after compromising a system in order to gain a better understanding of the environment and/or escalate privileges. +Detects the usage of commonly used system service discovery techniques, which attackers may use during the +reconnaissance phase after compromising a system in order to gain a better understanding of the environment and/or +escalate privileges. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "System Service Discovery through built-in Windows Utilities" risk_score = 21 rule_id = "e0881d20-54ac-457f-8733-fe0bc5d44c55" severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Rule Type: BBR" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" @@ -44,15 +50,17 @@ process where host.os.type == "windows" and event.type == "start" and ) and not user.id : "S-1-5-18" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1007" name = "System Service Discovery" reference = "https://attack.mitre.org/techniques/T1007/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_system_time_discovery.toml b/rules_building_block/discovery_system_time_discovery.toml index 7f57882ce..537fc9d8a 100644 --- a/rules_building_block/discovery_system_time_discovery.toml +++ b/rules_building_block/discovery_system_time_discovery.toml @@ -1,35 +1,40 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/01/24" integration = ["windows", "endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" description = """ Detects the usage of commonly used system time discovery techniques, which attackers may use during the reconnaissance -phase after compromising a system. +phase after compromising a system. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "System Time Discovery" risk_score = 21 rule_id = "06568a02-af29-4f20-929c-f3af281e41aa" severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Rule Type: BBR" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" @@ -45,15 +50,17 @@ process where host.os.type == "windows" and event.type == "start" and ) and not user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1124" name = "System Time Discovery" reference = "https://attack.mitre.org/techniques/T1124/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_win_network_connections.toml b/rules_building_block/discovery_win_network_connections.toml index 318357b4d..dc1f9d257 100644 --- a/rules_building_block/discovery_win_network_connections.toml +++ b/rules_building_block/discovery_win_network_connections.toml @@ -1,18 +1,17 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/07/14" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" description = """ This rule identifies the execution of commands that can be used to enumerate network connections. Adversaries may -attempt to get a listing of network connections to or from a compromised system to identify targets within an environment. +attempt to get a listing of network connections to or from a compromised system to identify targets within an +environment. """ from = "now-9m" index = ["logs-endpoint.events.process-*"] @@ -22,13 +21,14 @@ name = "Windows System Network Connections Discovery" risk_score = 21 rule_id = "c4e9ed3e-55a2-4309-a012-bc3c78dad10a" severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -49,9 +49,9 @@ process where event.type == "start" and ) and not user.id : "S-1-5-18" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1049" name = "System Network Connections Discovery" @@ -62,7 +62,9 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_windows_system_information_discovery.toml b/rules_building_block/discovery_windows_system_information_discovery.toml index 0cd59156c..3116404c9 100644 --- a/rules_building_block/discovery_windows_system_information_discovery.toml +++ b/rules_building_block/discovery_windows_system_information_discovery.toml @@ -1,11 +1,9 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/07/06" integration = ["windows", "endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -22,13 +20,15 @@ name = "Windows System Information Discovery" risk_score = 21 rule_id = "51176ed2-2d90-49f2-9f3d-17196428b169" severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" @@ -52,15 +52,17 @@ process.parent.executable : ( ) and not user.id : "S-1-5-18" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/execution_github_new_event_action_for_pat.toml b/rules_building_block/execution_github_new_event_action_for_pat.toml index 411b406a4..cc3256581 100644 --- a/rules_building_block/execution_github_new_event_action_for_pat.toml +++ b/rules_building_block/execution_github_new_event_action_for_pat.toml @@ -3,16 +3,12 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added to GitHub Integration" -min_stack_version = "8.8.0" -updated_date = "2023/12/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" -description = """ -Detects a first occurrence event for a personal access token (PAT) not seen in the last 14 days. -""" +description = "Detects a first occurrence event for a personal access token (PAT) not seen in the last 14 days.\n" from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" @@ -21,13 +17,14 @@ name = "First Occurrence GitHub Event for a Personal Access Token (PAT)" risk_score = 21 rule_id = "ce08b55a-f67d-4804-92b5-617b0fe5a5b5" severity = "low" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Execution", - "Rule Type: BBR", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "new_terms" @@ -37,6 +34,7 @@ event.action:* and github.hashed_token:* and github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -50,11 +48,11 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.new_terms] field = "new_terms_fields" value = ["github.hashed_token", "event.action"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules_building_block/execution_github_new_repo_interaction_for_pat.toml b/rules_building_block/execution_github_new_repo_interaction_for_pat.toml index 98e6201bb..f8c429ed7 100644 --- a/rules_building_block/execution_github_new_repo_interaction_for_pat.toml +++ b/rules_building_block/execution_github_new_repo_interaction_for_pat.toml @@ -3,16 +3,12 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added to GitHub Integration" -min_stack_version = "8.8.0" -updated_date = "2023/12/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" -description = """ -Detects a new private repo interaction for a GitHub PAT not seen in the last 14 days. -""" +description = "Detects a new private repo interaction for a GitHub PAT not seen in the last 14 days.\n" from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" @@ -21,13 +17,14 @@ name = "First Occurrence of Private Repo Event from Specific GitHub Personal Acc risk_score = 21 rule_id = "1e9b271c-8caa-4e20-aed8-e91e34de9283" severity = "low" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Execution", - "Rule Type: BBR", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "new_terms" @@ -38,6 +35,7 @@ github.programmatic_access_type:("OAuth access token" or "Fine-grained personal github.repository_public:false ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -51,11 +49,11 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.new_terms] field = "new_terms_fields" value = ["github.hashed_token", "github.repo"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules_building_block/execution_github_new_repo_interaction_for_user.toml b/rules_building_block/execution_github_new_repo_interaction_for_user.toml index 9f9002042..eeb371692 100644 --- a/rules_building_block/execution_github_new_repo_interaction_for_user.toml +++ b/rules_building_block/execution_github_new_repo_interaction_for_user.toml @@ -3,16 +3,12 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2023/12/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" -description = """ -Detects a new private repo interaction for a GitHub user not seen in the last 14 days. -""" +description = "Detects a new private repo interaction for a GitHub user not seen in the last 14 days.\n" from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" @@ -21,13 +17,14 @@ name = "First Occurrence of GitHub User Interaction with Private Repo" risk_score = 21 rule_id = "01c49712-25bc-49d2-a27d-d7ce52f5dc49" severity = "low" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Execution", - "Rule Type: BBR", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "new_terms" @@ -37,6 +34,7 @@ github.repo:* and user.name:* and github.repository_public:false ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -50,11 +48,11 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.new_terms] field = "new_terms_fields" value = ["user.name", "github.repo"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules_building_block/execution_github_repo_created.toml b/rules_building_block/execution_github_repo_created.toml index c10de1f2e..e8232137b 100644 --- a/rules_building_block/execution_github_repo_created.toml +++ b/rules_building_block/execution_github_repo_created.toml @@ -3,16 +3,12 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/12/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" -description = """ -A new GitHub repository was created. -""" +description = "A new GitHub repository was created.\n" from = "now-9m" index = ["logs-github.audit-*"] language = "eql" @@ -21,13 +17,14 @@ name = "GitHub Repo Created" risk_score = 21 rule_id = "6cea88e4-6ce2-4238-9981-a54c140d6336" severity = "low" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Execution", - "Rule Type: BBR", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "eql" @@ -35,6 +32,7 @@ query = ''' configuration where event.dataset == "github.audit" and event.action == "repo.create" ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -47,3 +45,4 @@ reference = "https://attack.mitre.org/techniques/T1648/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules_building_block/execution_github_repo_interaction_from_new_ip.toml b/rules_building_block/execution_github_repo_interaction_from_new_ip.toml index a9b685231..52daf9d6e 100644 --- a/rules_building_block/execution_github_repo_interaction_from_new_ip.toml +++ b/rules_building_block/execution_github_repo_interaction_from_new_ip.toml @@ -1,18 +1,14 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added to GitHub Integration" -min_stack_version = "8.8.0" -updated_date = "2023/12/14" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" -description = """ -Detects an interaction with a private GitHub repository from a new IP address not seen in the last 14 days. -""" +description = "Detects an interaction with a private GitHub repository from a new IP address not seen in the last 14 days.\n" from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" @@ -21,13 +17,14 @@ name = "First Occurrence of GitHub Repo Interaction From a New IP" risk_score = 21 rule_id = "0294f105-d7af-4a02-ae90-35f56763ffa2" severity = "low" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Execution", - "Rule Type: BBR", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "new_terms" @@ -37,6 +34,7 @@ github.actor_ip:* and github.repo:* and github.repository_public:false ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -50,11 +48,11 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.new_terms] field = "new_terms_fields" value = ["github.repo", "github.actor_ip"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules_building_block/execution_linux_segfault.toml b/rules_building_block/execution_linux_segfault.toml index 052ee0410..e1d006ca6 100644 --- a/rules_building_block/execution_linux_segfault.toml +++ b/rules_building_block/execution_linux_segfault.toml @@ -3,12 +3,11 @@ bypass_bbr_timing = true creation_date = "2023/10/26" integration = ["system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/26" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Monitors kernel logs for segfault messages. A segfault, or segmentation fault, is an error that occurs when a program tries to access a memory location that it's not allowed to access, typically leading to program termination. A segfault @@ -47,20 +46,15 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Rule Type: BBR" - ] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Rule Type: BBR"] timestamp_override = "event.ingested" -building_block_type = "default" type = "query" + query = ''' host.os.type:linux and event.dataset:"system.syslog" and process.name:kernel and message:segfault ''' + [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules_building_block/execution_settingcontent_ms_file_creation.toml b/rules_building_block/execution_settingcontent_ms_file_creation.toml index f4834c928..cef517d3a 100644 --- a/rules_building_block/execution_settingcontent_ms_file_creation.toml +++ b/rules_building_block/execution_settingcontent_ms_file_creation.toml @@ -3,12 +3,11 @@ bypass_bbr_timing = true creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the suspicious creation of SettingContents-ms files, which have been used in attacks to achieve code execution while evading defenses. @@ -18,15 +17,19 @@ index = ["logs-endpoint.events.file-*"] language = "eql" license = "Elastic License v2" name = "Creation of SettingContent-ms Files" -references = [ - "https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39", -] +references = ["https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39"] risk_score = 21 rule_id = "1e6363a6-3af5-41d4-b7ea-d475389c0ceb" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -38,40 +41,39 @@ file where host.os.type == "windows" and event.type == "creation" and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" - [[rule.threat.technique.subtechnique]] - id = "T1204.002" - name = "Malicious File" - reference = "https://attack.mitre.org/techniques/T1204/002/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" - [[rule.threat.technique.subtechnique]] - id = "T1566.001" - name = "Spearphishing Attachment" - reference = "https://attack.mitre.org/techniques/T1566/001/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules_building_block/execution_unix_socket_communication.toml b/rules_building_block/execution_unix_socket_communication.toml index 26e055dbe..bd444e795 100644 --- a/rules_building_block/execution_unix_socket_communication.toml +++ b/rules_building_block/execution_unix_socket_communication.toml @@ -1,19 +1,18 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/09/04" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ -This rule monitors for inter-process communication via Unix sockets. Adversaries may attempt to communicate with local -Unix sockets to enumerate application details, find vulnerabilities/configuration mistakes and potentially escalate -privileges or set up malicious communication channels via Unix sockets for inter-process communication to attempt to -evade detection. +This rule monitors for inter-process communication via Unix sockets. Adversaries may attempt to communicate with local +Unix sockets to enumerate application details, find vulnerabilities/configuration mistakes and potentially escalate +privileges or set up malicious communication channels via Unix sockets for inter-process communication to attempt to +evade detection. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] @@ -24,18 +23,18 @@ risk_score = 21 rule_id = "41284ba3-ed1a-4598-bfba-a97f75d9aba2" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Rule Type: BBR", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Rule Type: BBR", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( @@ -46,15 +45,17 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1559" name = "Inter-Process Communication" reference = "https://attack.mitre.org/techniques/T1559/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules_building_block/execution_unsigned_service_executable.toml b/rules_building_block/execution_unsigned_service_executable.toml index ee7b2e8f6..e6c2b4816 100644 --- a/rules_building_block/execution_unsigned_service_executable.toml +++ b/rules_building_block/execution_unsigned_service_executable.toml @@ -1,11 +1,9 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/07/14" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -22,14 +20,15 @@ name = "Execution of an Unsigned Service" risk_score = 21 rule_id = "56fdfcf1-ca7c-4fd9-951d-e215ee26e404" severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Rule Type: BBR", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" @@ -40,36 +39,37 @@ process.parent.executable:"C:\\Windows\\System32\\services.exe" and not process.code_signature.status : (errorCode_endpoint* or "errorChaining") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1569" name = "System Services" reference = "https://attack.mitre.org/techniques/T1569/" - [[rule.threat.technique.subtechnique]] id = "T1569.002" name = "Service Execution" reference = "https://attack.mitre.org/techniques/T1569/002/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" @@ -78,7 +78,8 @@ reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "user.id"] - [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-14d" \ No newline at end of file +value = "now-14d" + + diff --git a/rules_building_block/execution_wmi_wbemtest.toml b/rules_building_block/execution_wmi_wbemtest.toml index 6f65b1aca..0e8da7c05 100644 --- a/rules_building_block/execution_wmi_wbemtest.toml +++ b/rules_building_block/execution_wmi_wbemtest.toml @@ -2,28 +2,40 @@ creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Adversaries may abuse the WMI diagnostic tool, wbemtest.exe, to enumerate WMI object instances or invoke methods against local or remote endpoints. """ from = "now-119m" +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] interval = "60m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "WMI WBEMTEST Utility Execution" risk_score = 21 rule_id = "d3551433-782f-4e22-bbea-c816af2d41c6" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Rule Type: BBR", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -33,13 +45,14 @@ process where host.os.type == "windows" and event.type == "start" and process.na [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules_building_block/impact_github_member_removed_from_organization.toml b/rules_building_block/impact_github_member_removed_from_organization.toml index ddffcc741..9b6f36d68 100644 --- a/rules_building_block/impact_github_member_removed_from_organization.toml +++ b/rules_building_block/impact_github_member_removed_from_organization.toml @@ -1,18 +1,14 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/12/21" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" -description = """ -A member was removed or their invitation to join was removed from a GitHub Organization. -""" +description = "A member was removed or their invitation to join was removed from a GitHub Organization.\n" from = "now-9m" index = ["logs-github.audit-*"] language = "eql" @@ -21,13 +17,14 @@ name = "Member Removed From GitHub Organization" risk_score = 21 rule_id = "095b6a58-8f88-4b59-827c-ab584ad4e759" severity = "low" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Impact", - "Rule Type: BBR", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Impact", + "Rule Type: BBR", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "eql" @@ -35,6 +32,7 @@ query = ''' configuration where event.dataset == "github.audit" and event.action == "org.remove_member" ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -47,3 +45,4 @@ reference = "https://attack.mitre.org/techniques/T1531/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules_building_block/impact_github_pat_access_revoked.toml b/rules_building_block/impact_github_pat_access_revoked.toml index aa9fc0e0c..40804acb1 100644 --- a/rules_building_block/impact_github_pat_access_revoked.toml +++ b/rules_building_block/impact_github_pat_access_revoked.toml @@ -1,18 +1,14 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/12/14" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" -description = """ -Access to private GitHub organization resources was revoked for a PAT. -""" +description = "Access to private GitHub organization resources was revoked for a PAT.\n" from = "now-9m" index = ["logs-github.audit-*"] language = "eql" @@ -21,13 +17,14 @@ name = "GitHub PAT Access Revoked" risk_score = 21 rule_id = "8a0fd93a-7df8-410d-8808-4cc5e340f2b9" severity = "low" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Impact", - "Rule Type: BBR", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Impact", + "Rule Type: BBR", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "eql" @@ -35,6 +32,7 @@ query = ''' configuration where event.dataset == "github.audit" and event.action == "personal_access_token.access_revoked" ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -47,3 +45,4 @@ reference = "https://attack.mitre.org/techniques/T1531/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules_building_block/impact_github_user_blocked_from_organization.toml b/rules_building_block/impact_github_user_blocked_from_organization.toml index 96daeacf8..01bce32d7 100644 --- a/rules_building_block/impact_github_user_blocked_from_organization.toml +++ b/rules_building_block/impact_github_user_blocked_from_organization.toml @@ -1,18 +1,14 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/12/14" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" -description = """ -A GitHub user was blocked from access to an organization. -""" +description = "A GitHub user was blocked from access to an organization.\n" from = "now-9m" index = ["logs-github.audit-*"] language = "eql" @@ -21,13 +17,14 @@ name = "GitHub User Blocked From Organization" risk_score = 21 rule_id = "4030c951-448a-4017-a2da-ed60f6d14f4f" severity = "low" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Impact", - "Rule Type: BBR", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Impact", + "Rule Type: BBR", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "eql" @@ -35,6 +32,7 @@ query = ''' configuration where event.dataset == "github.audit" and event.action == "org.block_user" ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -47,3 +45,4 @@ reference = "https://attack.mitre.org/techniques/T1531/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules_building_block/initial_access_cross_site_scripting.toml b/rules_building_block/initial_access_cross_site_scripting.toml index 318d16160..c2a27be30 100644 --- a/rules_building_block/initial_access_cross_site_scripting.toml +++ b/rules_building_block/initial_access_cross_site_scripting.toml @@ -2,20 +2,19 @@ creation_date = "2023/07/12" integration = ["apm"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/12" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ -Cross-Site Scripting (XSS) is a type of attack in which malicious scripts are injected into trusted websites. -In XSS attacks, an attacker uses a benign web application to send malicious code, generally in the form of a -browser-side script. This detection rule identifies the potential malicious executions of such browser-side scripts. +Cross-Site Scripting (XSS) is a type of attack in which malicious scripts are injected into trusted websites. In XSS +attacks, an attacker uses a benign web application to send malicious code, generally in the form of a browser-side +script. This detection rule identifies the potential malicious executions of such browser-side scripts. """ from = "now-119m" -interval = "60m" index = ["apm-*-transaction*", "traces-apm*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Potential Cross Site Scripting (XSS)" @@ -25,7 +24,6 @@ rule_id = "4aa58ac6-4dc0-4d18-b713-f58bf8bd015c" severity = "low" tags = ["Data Source: APM", "Use Case: Threat Detection", "Tactic: Initial Access"] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -47,3 +45,4 @@ reference = "https://attack.mitre.org/techniques/T1189/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules_building_block/initial_access_github_new_ip_address_for_pat.toml b/rules_building_block/initial_access_github_new_ip_address_for_pat.toml index b1fa1b90d..85b7086c0 100644 --- a/rules_building_block/initial_access_github_new_ip_address_for_pat.toml +++ b/rules_building_block/initial_access_github_new_ip_address_for_pat.toml @@ -1,18 +1,14 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added to GitHub Integration" -min_stack_version = "8.8.0" -updated_date = "2023/12/14" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" -description = """ -Detects a new IP address used for a GitHub PAT not previously seen in the last 14 days. -""" +description = "Detects a new IP address used for a GitHub PAT not previously seen in the last 14 days.\n" from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" @@ -21,13 +17,14 @@ name = "First Occurrence of IP Address For GitHub Personal Access Token (PAT)" risk_score = 21 rule_id = "fc909baa-fb34-4c46-9691-be276ef4234c" severity = "low" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Initial Access", - "Rule Type: BBR", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Initial Access", + "Rule Type: BBR", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "new_terms" @@ -37,6 +34,7 @@ github.actor_ip:* and github.hashed_token:* and github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -48,6 +46,8 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" @@ -56,7 +56,8 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["github.hashed_token", "github.actor_ip"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules_building_block/initial_access_github_new_ip_address_for_user.toml b/rules_building_block/initial_access_github_new_ip_address_for_user.toml index 38bb8adf0..25ef2800c 100644 --- a/rules_building_block/initial_access_github_new_ip_address_for_user.toml +++ b/rules_building_block/initial_access_github_new_ip_address_for_user.toml @@ -1,18 +1,14 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added to GitHub Integration" -min_stack_version = "8.8.0" -updated_date = "2023/12/14" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" -description = """ -Detects a new IP address used for a GitHub user not previously seen in the last 14 days. -""" +description = "Detects a new IP address used for a GitHub user not previously seen in the last 14 days.\n" from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" @@ -21,13 +17,14 @@ name = "First Occurrence of IP Address For GitHub User" risk_score = 21 rule_id = "3af4cb9b-973f-4c54-be2b-7623c0e21b2b" severity = "low" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Initial Access", - "Rule Type: BBR", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Initial Access", + "Rule Type: BBR", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "new_terms" @@ -36,6 +33,7 @@ event.dataset:"github.audit" and event.category:"configuration" and github.actor_ip:* and user.name:* ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -47,6 +45,8 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" @@ -55,7 +55,8 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["user.name", "github.actor_ip"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules_building_block/initial_access_github_new_user_agent_for_pat.toml b/rules_building_block/initial_access_github_new_user_agent_for_pat.toml index 64308ff17..b47383907 100644 --- a/rules_building_block/initial_access_github_new_user_agent_for_pat.toml +++ b/rules_building_block/initial_access_github_new_user_agent_for_pat.toml @@ -1,18 +1,14 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added to GitHub Integration" -min_stack_version = "8.8.0" -updated_date = "2023/12/14" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" -description = """ -Detects a new user agent used for a GitHub PAT not previously seen in the last 14 days. -""" +description = "Detects a new user agent used for a GitHub PAT not previously seen in the last 14 days.\n" from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" @@ -21,13 +17,14 @@ name = "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)" risk_score = 21 rule_id = "0e4367a0-a483-439d-ad2e-d90500b925fd" severity = "low" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Initial Access", - "Rule Type: BBR", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Initial Access", + "Rule Type: BBR", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "new_terms" @@ -37,6 +34,7 @@ github.user_agent:* and github.hashed_token:* and github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -48,6 +46,8 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" @@ -56,7 +56,8 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["github.hashed_token", "github.user_agent"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules_building_block/initial_access_github_new_user_agent_for_user.toml b/rules_building_block/initial_access_github_new_user_agent_for_user.toml index 7980a538d..8463648e6 100644 --- a/rules_building_block/initial_access_github_new_user_agent_for_user.toml +++ b/rules_building_block/initial_access_github_new_user_agent_for_user.toml @@ -1,18 +1,14 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added to GitHub Integration" -min_stack_version = "8.8.0" -updated_date = "2023/12/14" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" -description = """ -Detects a new user agent used for a GitHub user not previously seen in the last 14 days. -""" +description = "Detects a new user agent used for a GitHub user not previously seen in the last 14 days.\n" from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" @@ -21,13 +17,14 @@ name = "First Occurrence of User-Agent For a GitHub User" risk_score = 21 rule_id = "41761cd3-380f-4d4d-89f3-46d6853ee35d" severity = "low" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Initial Access", - "Rule Type: BBR", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Initial Access", + "Rule Type: BBR", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "new_terms" @@ -36,6 +33,7 @@ event.dataset:"github.audit" and event.category:"configuration" and github.user_agent:* and user.name:* ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -47,6 +45,8 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" @@ -55,7 +55,8 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["user.name", "github.user_agent"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules_building_block/lateral_movement_at.toml b/rules_building_block/lateral_movement_at.toml index 0ccabf7ce..17e6965f8 100644 --- a/rules_building_block/lateral_movement_at.toml +++ b/rules_building_block/lateral_movement_at.toml @@ -2,29 +2,41 @@ creation_date = "2023/08/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies use of at.exe to interact with the task scheduler on remote hosts. Remote task creations, modifications or execution could be indicative of adversary lateral movement. """ from = "now-119m" +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] interval = "60m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "At.exe Command Lateral Movement" risk_score = 21 rule_id = "b483365c-98a8-40c0-92d8-0458ca25058a" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Rule Type: BBR", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" -building_block_type = "default" query = ''' process where host.os.type == "windows" and event.type == "start" and process.name : "at.exe" and process.args : "\\\\*" @@ -33,25 +45,22 @@ process where host.os.type == "windows" and event.type == "start" and process.na [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.002" name = "At" @@ -62,7 +71,10 @@ id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules_building_block/lateral_movement_rdp_conn_unusual_process.toml b/rules_building_block/lateral_movement_rdp_conn_unusual_process.toml index 6110207d5..4a6aa3206 100644 --- a/rules_building_block/lateral_movement_rdp_conn_unusual_process.toml +++ b/rules_building_block/lateral_movement_rdp_conn_unusual_process.toml @@ -2,29 +2,33 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Adversaries may attempt to connect to a remote system over Windows Remote Desktop Protocol (RDP) to achieve lateral -movement. Adversaries may avoid using the Microsoft Terminal Services Client (mstsc.exe) binary to establish -an RDP connection to evade detection. +movement. Adversaries may avoid using the Microsoft Terminal Services Client (mstsc.exe) binary to establish an RDP +connection to evade detection. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.network-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Potential Outgoing RDP Connection by Unusual Process" risk_score = 21 rule_id = "8e39f54e-910b-4adb-a87e-494fbba5fb65" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -63,3 +67,4 @@ reference = "https://attack.mitre.org/techniques/T1021/001/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml b/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml index 1739922bb..dbc9fce69 100644 --- a/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml +++ b/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml @@ -1,17 +1,16 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/08/25" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ -Identifies unusual process executions using MSSQL Service accounts, which can indicate the exploitation/compromise of SQL -instances. Attackers may exploit exposed MSSQL instances for initial access or lateral movement. +Identifies unusual process executions using MSSQL Service accounts, which can indicate the exploitation/compromise of +SQL instances. Attackers may exploit exposed MSSQL instances for initial access or lateral movement. """ from = "now-9m" index = ["logs-endpoint.events.process-*"] @@ -20,15 +19,22 @@ license = "Elastic License v2" name = "Unusual Process For MSSQL Service Accounts" references = [ "https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/", - "https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions?view=sql-server-ver16" + "https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions?view=sql-server-ver16", ] risk_score = 21 rule_id = "e74d645b-fec6-431e-bf93-ca64a538e0de" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" -building_block_type = "default" query = ''' process where event.type == "start" and host.os.type == "windows" and @@ -82,21 +88,21 @@ reference = "https://attack.mitre.org/techniques/T1210/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" - [[rule.threat.technique.subtechnique]] id = "T1505.001" name = "SQL Stored Procedures" reference = "https://attack.mitre.org/techniques/T1505/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules_building_block/lateral_movement_wmic_remote.toml b/rules_building_block/lateral_movement_wmic_remote.toml index 9238c44be..273375289 100644 --- a/rules_building_block/lateral_movement_wmic_remote.toml +++ b/rules_building_block/lateral_movement_wmic_remote.toml @@ -2,28 +2,33 @@ creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the use of wmic.exe to run commands on remote hosts. While this can be used by administrators legitimately, attackers can abuse this built-in utility to achieve lateral movement. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.process-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "WMIC Remote Command" risk_score = 21 rule_id = "f59668de-caa0-4b84-94c1-3a1549e1e798" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -37,31 +42,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [[rule.threat.technique.subtechnique]] id = "T1021.006" name = "Windows Remote Management" reference = "https://attack.mitre.org/techniques/T1021/006/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml b/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml index ed153da86..f4aaaef46 100644 --- a/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml +++ b/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2024/04/30" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/30" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,7 +30,7 @@ tags = [ "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Tactic: Persistence", - "Rule Type: BBR" + "Rule Type: BBR", ] timestamp_override = "event.ingested" type = "query" @@ -46,14 +44,6 @@ event.dataset: aws.cloudtrail and event.provider: "iam.amazonaws.com" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" -[[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" @@ -63,6 +53,17 @@ name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + + + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules_building_block/persistence_creation_of_kernel_module.toml b/rules_building_block/persistence_creation_of_kernel_module.toml index 1a5f88f21..4ba49615d 100644 --- a/rules_building_block/persistence_creation_of_kernel_module.toml +++ b/rules_building_block/persistence_creation_of_kernel_module.toml @@ -2,19 +2,15 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" -description = """ -Identifies activity related to loading kernel modules on Linux via creation of new ko files in the LKM directory. -""" +description = "Identifies activity related to loading kernel modules on Linux via creation of new ko files in the LKM directory.\n" from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.*", "endgame-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Creation of Kernel Module" @@ -22,16 +18,17 @@ risk_score = 21 rule_id = "947827c6-9ed6-4dec-903e-c856c86e72f3" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.type in ("change", "creation") and file.path : "/lib/modules/*" and file.extension == "ko" and not process.name : ( @@ -39,20 +36,22 @@ file.extension == "ko" and not process.name : ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules_building_block/persistence_github_new_pat_for_user.toml b/rules_building_block/persistence_github_new_pat_for_user.toml index cfef12dc0..a7cfbd7e4 100644 --- a/rules_building_block/persistence_github_new_pat_for_user.toml +++ b/rules_building_block/persistence_github_new_pat_for_user.toml @@ -1,18 +1,14 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added to GitHub Integration" -min_stack_version = "8.8.0" -updated_date = "2023/12/14" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" -description = """ -A new PAT was used for a GitHub user not previously seen in the last 14 days. -""" +description = "A new PAT was used for a GitHub user not previously seen in the last 14 days.\n" from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" @@ -21,13 +17,14 @@ name = "First Occurrence of Personal Access Token (PAT) Use For a GitHub User" risk_score = 21 rule_id = "f94e898e-94f1-4545-8923-03e4b2866211" severity = "low" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Persistence", - "Rule Type: BBR", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Persistence", + "Rule Type: BBR", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "new_terms" @@ -37,6 +34,7 @@ github.hashed_token:* and user.name:* and github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -48,6 +46,8 @@ id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -56,7 +56,8 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["user.name", "github.hashed_token"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules_building_block/persistence_github_new_user_added_to_organization.toml b/rules_building_block/persistence_github_new_user_added_to_organization.toml index 685fa8fbe..6de318f91 100644 --- a/rules_building_block/persistence_github_new_user_added_to_organization.toml +++ b/rules_building_block/persistence_github_new_user_added_to_organization.toml @@ -1,18 +1,14 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/12/21" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" -description = """ -A new user was added to a GitHub organization. -""" +description = "A new user was added to a GitHub organization.\n" from = "now-9m" index = ["logs-github.audit-*"] language = "eql" @@ -21,13 +17,14 @@ name = "New User Added To GitHub Organization" risk_score = 21 rule_id = "61336fe6-c043-4743-ab6e-41292f439603" severity = "low" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Persistence", - "Rule Type: BBR", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Persistence", + "Rule Type: BBR", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "eql" @@ -35,6 +32,7 @@ query = ''' configuration where event.dataset == "github.audit" and event.action == "org.add_member" ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -46,7 +44,10 @@ id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules_building_block/persistence_startup_folder_lnk.toml b/rules_building_block/persistence_startup_folder_lnk.toml index c8967f887..0cfb8ff93 100644 --- a/rules_building_block/persistence_startup_folder_lnk.toml +++ b/rules_building_block/persistence_startup_folder_lnk.toml @@ -1,14 +1,13 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies shortcut files written to or modified in the startup folder. Adversaries may use this technique to maintain persistence. @@ -21,9 +20,15 @@ name = "Shortcut File Written or Modified on Startup Folder" risk_score = 21 rule_id = "ee53d67a-5f0c-423c-a53c-8084ae562b5c" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -63,3 +68,4 @@ reference = "https://attack.mitre.org/techniques/T1547/009/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules_building_block/persistence_transport_agent_exchange.toml b/rules_building_block/persistence_transport_agent_exchange.toml index 993b637e4..41a64eb14 100644 --- a/rules_building_block/persistence_transport_agent_exchange.toml +++ b/rules_building_block/persistence_transport_agent_exchange.toml @@ -2,20 +2,19 @@ creation_date = "2023/07/14" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the use of Cmdlets and methods related to Microsoft Exchange Transport Agents install. Adversaries may leverage malicious Microsoft Exchange Transport Agents to execute tasks in response to adversary-defined criteria, establishing persistence. """ from = "now-119m" -interval = "60m" index = ["winlogbeat-*", "logs-windows.powershell*"] +interval = "60m" language = "kuery" license = "Elastic License v2" name = "Microsoft Exchange Transport Agent Install Script" @@ -37,10 +36,16 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: PowerShell Logs", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: PowerShell Logs", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "query" -building_block_type = "default" query = ''' event.category: "process" and host.os.type:windows and @@ -58,34 +63,35 @@ event.category: "process" and host.os.type:windows and ) ''' + [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Exchange\\\\RemotePowerShell\\\\*" - +case_insensitive = true +value = "?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Exchange\\\\RemotePowerShell\\\\*" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" - +case_insensitive = true +value = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Windows\\\\TEMP\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" - +case_insensitive = true +value = "?:\\\\Windows\\\\TEMP\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" - +case_insensitive = true +value = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -120,3 +126,4 @@ reference = "https://attack.mitre.org/techniques/T1059/001/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules_building_block/privilege_escalation_trap_execution.toml b/rules_building_block/privilege_escalation_trap_execution.toml index f077ca029..52787ad90 100644 --- a/rules_building_block/privilege_escalation_trap_execution.toml +++ b/rules_building_block/privilege_escalation_trap_execution.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/24" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,8 +12,8 @@ Identify activity related where adversaries can include a trap command which the commands that will be executed upon receiving interrupt signals. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Trap Signals Execution" @@ -23,37 +21,40 @@ risk_score = 21 rule_id = "cf6995ec-32a9-4b2d-9340-f8e61acf3f4e" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "trap" and process.args : "SIG*" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.005" name = "Trap" reference = "https://attack.mitre.org/techniques/T1546/005/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index 2170d5a75..f73dcd8f4 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -28,7 +28,7 @@ from detection_rules.rule import (AlertSuppressionMapping, QueryRuleData, QueryV ThresholdAlertSuppression, TOMLRuleContents) from detection_rules.rule_loader import FILE_PATTERN from detection_rules.rule_validators import EQLValidator, KQLValidator -from detection_rules.schemas import definitions, get_stack_schemas +from detection_rules.schemas import definitions, get_min_supported_stack_version, get_stack_schemas from detection_rules.utils import INTEGRATION_RULE_DIR, PatchedTemplate, get_path, load_etc_dump from detection_rules.version_lock import default_version_lock from rta import get_available_tests @@ -1111,6 +1111,7 @@ class TestBuildTimeFields(BaseRuleTest): def test_build_fields_min_stack(self): """Test that newly introduced build-time fields for a min_stack for applicable rules.""" current_stack_ver = PACKAGE_STACK_VERSION + min_supported_stack_version = get_min_supported_stack_version() invalids = [] for rule in self.production_rules: @@ -1120,7 +1121,12 @@ class TestBuildTimeFields(BaseRuleTest): errors = [] for build_field, field_versions in build_fields.items(): start_ver, end_ver = field_versions - if start_ver is not None and current_stack_ver >= start_ver: + # when a _new_ build time field is introduced, _all_ rules _must_ have a min_stack_version for the stack + # version in which the field was introduced. This is because the initial change will result in a hash + # change which is different because of the build time fields. + # This also ensures that the introduced version is greater than the min supported, in order to age off + # old and unneeded checks. (i.e. 8.3.0 < 8.9.0 min supported, so it is irrelevant now) + if start_ver is not None and current_stack_ver >= start_ver >= min_supported_stack_version: if min_stack is None or not Version.parse(min_stack) >= start_ver: errors.append(f'{build_field} >= {start_ver}')