[Security Content] Refactor Existing Investigation Guides (#1959)

* Initial commit

* Update Investigation guides - security-docs review

* Update command_and_control_dns_tunneling_nslookup.toml

* Update defense_evasion_amsienable_key_mod.toml

* Apply security-docs review

* Remove dot

* Update rules/windows/command_and_control_rdp_tunnel_plink.toml

Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Apply changes from review

* Apply the suggestion

Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>

(cherry picked from commit 817b97f428)

rules/windows/collection_posh_audio_capture.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/19"
 maturity = "production"
-updated_date = "2022/03/02"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ index = ["winlogbeat-*", "logs-windows.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "PowerShell Suspicious Script with Audio Capture Capabilities"
-note = """## Triage and analysis.
+note = """## Triage and analysis
 
 ### Investigating PowerShell Suspicious Script with Audio Capture Capabilities
 
@@ -25,16 +25,16 @@ connected to the victim's computer.
 
 #### Possible investigation steps
 
-- Examine script content that triggered the detection. 
-- Investigate the script execution chain (parent process tree).
-- Inspect any file or network events from the suspicious PowerShell host process instance.
-- Investigate other alerts related to the user/host in the last 48 hours.
-- Consider whether the user needs PowerShell to complete its tasks.
+- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration
+capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.
+- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for
+prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Examine file or network events from the involved PowerShell process for suspicious behavior.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Evaluate whether the user needs to use PowerShell to complete tasks.
 - Investigate if the script stores the recorded data locally and determine if anything was recorded.
 - Investigate if the script contains exfiltration capabilities and the destination of this exfiltration.
 - Assess network data to determine if the host communicated with the exfiltration server.
-- Determine if the user credentials were compromised and if the attacker used them to perform unauthorized access to the
-linked email account.
 
 ### False positive analysis
 
@@ -49,10 +49,17 @@ authorized benign true positives (B-TPs), exceptions can be added.
 ### Response and remediation
 
 - Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved hosts to prevent further post-compromise behavior.
 - The response must be prioritized if this alert involves key executives or potentially valuable targets for espionage.
-- Quarantine the involved host for forensic investigation, as well as eradication and recovery activities.
-- Configure AppLocker or equivalent software to restrict access to PowerShell for regular users.
-- Review GPOs to add additional restrictions for PowerShell usage by users.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/collection_posh_keylogger.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/15"
 maturity = "production"
-updated_date = "2022/03/02"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-windows.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "PowerShell Keylogging Script"
-note = """## Triage and analysis.
+note = """## Triage and analysis
 
 ### Investigating PowerShell Keylogging Script
 
@@ -24,13 +24,15 @@ makes it available for use in various environments, and creates an attractive wa
 Attackers can abuse PowerShell capabilities to capture user keystrokes with the goal of stealing credentials and other
 valuable information as credit card data and confidential conversations.
 
-#### Possible investigation steps:
+#### Possible investigation steps
 
-- Examine script content that triggered the detection. 
-- Investigate the script execution chain (parent process tree).
-- Inspect any file or network events from the suspicious PowerShell host process instance.
-- Investigate other alerts related to the user/host in the last 48 hours.
-- Consider whether the user needs PowerShell to complete its tasks.
+- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration
+capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.
+- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for
+prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Examine file or network events from the involved PowerShell process for suspicious behavior.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Evaluate whether the user needs to use PowerShell to complete tasks.
 - Investigate if the script stores the captured data locally.
 - Investigate if the script contains exfiltration capabilities and the destination of this exfiltration.
 - Assess network data to determine if the host communicated with the exfiltration server.
@@ -47,10 +49,17 @@ false positives unlikely. In the case of authorized benign true positives (B-TPs
 ### Response and remediation
 
 - Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved hosts to prevent further post-compromise behavior.
 - The response must be prioritized if this alert involves key executives or potentially valuable targets for espionage.
-- Quarantine the involved host for forensic investigation, as well as eradication and recovery activities.
-- Configure AppLocker or equivalent software to restrict access to PowerShell for regular users.
-- Reset the password for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
+- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/collection_posh_screen_grabber.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/19"
 maturity = "production"
-updated_date = "2022/03/07"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -26,14 +26,16 @@ of an operation.
 
 #### Possible investigation steps
 
-- Examine the script content that triggered the detection. 
-- Investigate the script execution chain (parent process tree).
-- Inspect file or network events from the suspicious PowerShell host process instance.
-- Investigate other alerts associated with the user or host in the past 48 hours.
-- Consider whether the user needs PowerShell to complete its tasks.
+- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration
+capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.
+- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for
+prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Examine file or network events from the involved PowerShell process for suspicious behavior.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Evaluate whether the user needs to use PowerShell to complete tasks.
 - Investigate if the script stores the captured data locally.
 - Investigate if the script contains exfiltration capabilities and the destination of this exfiltration.
-- Examine network data to determine if the host communicated with the exfiltration server.
+- Assess network data to determine if the host communicated with the exfiltration server.
 
 ### False positive analysis
 
@@ -47,9 +49,16 @@ positives unlikely. In the case of authorized benign true positives (B-TPs), exc
 ### Response and remediation
 
 - Initiate the incident response process based on the outcome of the triage.
-- Quarantine the involved host for forensic investigation, as well as eradication and recovery activities.
-- Configure AppLocker or equivalent software to restrict access to PowerShell for regular users.
-- Reset the password for the user account.
+- Isolate the involved hosts to prevent further post-compromise behavior.
+- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/collection_winrar_encryption.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/04"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -26,9 +26,10 @@ These steps are usually done in preparation for exfiltration, meaning the attack
 
 #### Possible investigation steps
 
-- Investigate the script execution chain (parent process tree).
+- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for
+prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
 - Retrieve the encrypted file.
-- Investigate other alerts related to the user/host in the last 48 hours.
+- Investigate other alerts associated with the user/host during the past 48 hours.
 - Check if the password used in the encryption was included in the command line.
 - Decrypt the `.rar`/`.zip` and check if the information is sensitive.
 - If the password is not available, and the format is `.zip` or the option used in WinRAR is not the `-hp`, list the
@@ -43,10 +44,16 @@ file names included in the encrypted file.
 ### Response and remediation
 
 - Initiate the incident response process based on the outcome of the triage.
-- If personally identifiable information (PII) or other classified data is involved, investigations into this should be prioritized.
-- Quarantine the involved host for forensic investigation, as well as eradication and recovery activities.
-- Reset the passwords of the involved accounts.
-- Safeguard critical assets to prevent further harm or theft of data.
+- Prioritize cases that involve personally identifiable information (PII) or other classified data.
+- Isolate the involved hosts to prevent further post-compromise behavior.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 
 ## Config

rules/windows/command_and_control_certutil_network_connection.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/03/19"
 maturity = "production"
-updated_date = "2022/03/07"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -26,15 +26,20 @@ This rule looks for network events where `certutil.exe` contacts IP ranges other
 
 #### Possible investigation steps
 
-- Investigate the script execution chain (parent process tree).
-- Investigate other alerts related to the user/host in the last 48 hours.
+- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for
+prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Investigate other alerts associated with the user/host during the past 48 hours.
 - Investigate if the downloaded file was executed.
 - Determine the context in which `certutil.exe` and the file were run.
-- Retrieve the file downloaded and:
-  - Use a sandboxed malware analysis system to perform analysis.
-    - Observe attempts of contacting external domains and addresses.
-  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
-    - Search for the existence of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+- Retrieve the downloaded file and determine if it is malicious:
+  - Use a private sandboxed malware analysis system to perform analysis.
+    - Observe and collect information about the following activities:
+      - Attempts to contact external domains and addresses.
+      - File and registry access, modification, and creation activities.
+      - Service creation and launch activities.
+      - Scheduled tasks creation.
+  - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
+    - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
 
 ### False positive analysis
 
@@ -48,7 +53,17 @@ of user and command line conditions.
 - Initiate the incident response process based on the outcome of the triage.
 - Isolate the involved host to prevent further post-compromise behavior.
 - If the triage identified malware, search the environment for additional compromised hosts.
-- Implement any temporary network rules, procedures, and segmentation required to contain the malware.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
+  attackers could use to reinfect the system.
+- Remove and block malicious artifacts identified during triage.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 """
 references = [
     "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml",

rules/windows/command_and_control_common_webservices.toml

@@ -29,13 +29,20 @@ be abused for exfiltration or command and control.
 
 #### Possible investigation steps
 
-- Investigate the script execution chain (parent process tree).
-- Investigate other alerts related to the user/host in the last 48 hours.
+- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for
+prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Investigate other alerts associated with the user/host during the past 48 hours.
 - Verify whether the digital signature exists in the executable.
-- Identify the kind of the operation (upload, download, tunneling, etc.).
-- Use a sandboxed malware analysis system to perform analysis on the executable.
-- Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
-  - Search for the existence of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+- Identify the operation type (upload, download, tunneling, etc.).
+- Retrieve the process executable and determine if it is malicious:
+  - Use a private sandboxed malware analysis system to perform analysis.
+    - Observe and collect information about the following activities:
+      - Attempts to contact external domains and addresses.
+      - File and registry access, modification, and creation activities.
+      - Service creation and launch activities.
+      - Scheduled tasks creation.
+  - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
+    - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
 
 ### False positive analysis
 
@@ -47,7 +54,17 @@ false positives can be added as exceptions.
 - Initiate the incident response process based on the outcome of the triage.
 - Isolate the involved host to prevent further post-compromise behavior.
 - If the triage identified malware, search the environment for additional compromised hosts.
-- Implement any temporary network rules, procedures, and segmentation required to contain the malware.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
+  attackers could use to reinfect the system.
+- Remove and block malicious artifacts identified during triage.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 """
 risk_score = 21
 rule_id = "66883649-f908-4a5b-a1e0-54090a1d3a32"

rules/windows/command_and_control_dns_tunneling_nslookup.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/11"
 maturity = "production"
-updated_date = "2022/03/07"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -29,10 +29,12 @@ More information on how tunneling works and how it can be abused can be found on
 
 #### Possible investigation steps
 
-- Investigate the script execution chain (parent process tree).
-- Investigate other alerts related to the user/host in the last 48 hours.
+- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for
+prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Investigate other alerts associated with the user/host during the past 48 hours.
 - Inspect the DNS query and identify the information sent.
-- Extract this communication's indicators of compromise (IoCs) and use traffic logs to search for other potentially compromised hosts.
+- Extract this communication's indicators of compromise (IoCs) and use traffic logs to search for other potentially
+compromised hosts.
 
 ### False positive analysis
 
@@ -43,12 +45,18 @@ command and control related, this alert can be closed.
 
 - Initiate the incident response process based on the outcome of the triage.
 - Isolate the involved host to prevent further post-compromise behavior.
-- Immediately block the IoCs identified on the triage.
+- Immediately block the identified indicators of compromise (IoCs).
 - Implement any temporary network rules, procedures, and segmentation required to contain the attack.
-- Capture forensic images to preserve evidence.
-- Reset the password for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
 - Update firewall rules to be more restrictive.
-- Reimage affected systems.
+- Reimage the host operating system or restore the compromised files to clean versions.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 """
 references = ["https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/"]
 risk_score = 47

rules/windows/command_and_control_port_forwarding_added_registry.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/25"
 maturity = "production"
-updated_date = "2022/04/13"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -28,13 +28,14 @@ This rule monitors the modifications to the `HKLM\\SYSTEM\\*ControlSet*\\Service
 
 #### Possible investigation steps
 
-- Investigate the process execution chain (parent process tree).
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
 - Identify the user account that performed the action and whether it should perform this kind of action.
-- Contact the account owner and confirm whether they are aware of this activity.
+- Contact the account and system owners and confirm whether they are aware of this activity.
 - Investigate other alerts associated with the user/host during the past 48 hours.
-- Check for similar behavior in other hosts on the environment.
-- Identify the target host IP address, verify if connections were made from the host where the modification occurred,
-and check what credentials were used to perform it.
+- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
+- Identify the target host IP address, check the connections originating from the host where the modification occurred,
+and inspect the credentials used.
   - Investigate suspicious login activity, such as unauthorized access and logins from outside working hours and unusual locations.
 
 ### False positive analysis
@@ -49,8 +50,21 @@ of user and command line conditions.
 - Initiate the incident response process based on the outcome of the triage.
 - Delete the port forwarding rule.
 - Isolate the involved host to prevent further post-compromise behavior.
-- If potential malware or credential compromise activities were discovered during the alert triage, activate the respective
-incident response plan.
+- If the triage identified malware, search the environment for additional compromised hosts.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
+  attackers could use to reinfect the system.
+- Remove and block malicious artifacts identified during triage.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 
 ## Config

rules/windows/command_and_control_rdp_tunnel_plink.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/10/14"
 maturity = "production"
-updated_date = "2022/04/13"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -30,11 +30,12 @@ with tools that perform tunneling.
 
 #### Possible investigation steps
 
-- Investigate the process execution chain (parent process tree).
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
 - Identify the user account that performed the action and whether it should perform this kind of action.
-- Contact the account owner and confirm whether they are aware of this activity.
+- Contact the account and system owners and confirm whether they are aware of this activity.
 - Investigate other alerts associated with the user/host during the past 48 hours.
-- Determine if the activity is unique by validating if other machines in the organization have similar entries.
+- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
 - Examine network data to determine if the host communicated with external servers using the tunnel.
 
 ### False positive analysis
@@ -46,10 +47,16 @@ with tools that perform tunneling.
 
 - Initiate the incident response process based on the outcome of the triage.
 - Isolate the involved host to prevent further post-compromise behavior.
-- Disable the involved accounts, or restrict their ability to log on remotely.
-- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
-- Take actions to disable the tunneling.
-- Investigate the initial attack vector.
+- Take the necessary actions to disable the tunneling, which can be a process kill, service deletion, registry key
+modification, etc. Inspect the host to learn which method was used and to determine a response for the case.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 
 ## Config

rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/03"
 maturity = "production"
-updated_date = "2022/04/13"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -26,11 +26,12 @@ The `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop i
 
 #### Possible investigation steps
 
-- Investigate the process execution chain (parent process tree).
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
 - Identify the user account that performed the action and whether it should perform this kind of action.
 - Contact the account owner and confirm whether they are aware of this activity.
 - Investigate other alerts associated with the user/host during the past 48 hours.
-- Determine if the activity is unique by validating if other machines in the organization have similar entries.
+- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
 - Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file
 from an internal system.
 - Retrieve the file and determine if it is malicious:
@@ -41,8 +42,8 @@ from an internal system.
       - File and registry access, modification, and creation activities.
       - Service creation and launch activities.
       - Scheduled tasks creation.
-  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
-    - Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+  - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
+    - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
 
 ### False positive analysis
 
@@ -55,12 +56,20 @@ if necessary.
 - Initiate the incident response process based on the outcome of the triage.
 - Isolate the involved host to prevent further post-compromise behavior.
 - If the triage identified malware, search the environment for additional compromised hosts.
-  - Implement any temporary network rules, procedures, and segmentation required to contain the malware.
-  - Immediately block the IoCs identified.
-- Remove and block malicious artifacts identified on the triage.
-- Disable the involved accounts, or restrict their ability to log on remotely.
-- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
-- Investigate the initial attack vector.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
+  attackers could use to reinfect the system.
+- Remove and block malicious artifacts identified during triage.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 
 ## Config

rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/03"
 maturity = "production"
-updated_date = "2022/04/13"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -24,7 +24,8 @@ including malware and offensive tooling. This rule looks for the patterns used t
 
 #### Possible investigation steps
 
-- Investigate the process execution chain (parent process tree).
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
 - Identify the user account that performed the action and whether it should perform this kind of action.
 - Contact the account owner and confirm whether they are aware of this activity.
 - Investigate other alerts associated with the user/host during the past 48 hours.
@@ -36,8 +37,8 @@ including malware and offensive tooling. This rule looks for the patterns used t
       - File and registry access, modification, and creation activities.
       - Service creation and launch activities.
       - Scheduled tasks creation.
-  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
-    - Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+  - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
+    - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
 
 ### False positive analysis
 
@@ -48,14 +49,20 @@ including malware and offensive tooling. This rule looks for the patterns used t
 - Initiate the incident response process based on the outcome of the triage.
 - Isolate the involved host to prevent further post-compromise behavior.
 - If the triage identified malware, search the environment for additional compromised hosts.
-  - Implement any temporary network rules, procedures, and segmentation required to contain the malware.
-  - Immediately block the IoCs identified.
-- Remove and block malicious artifacts identified on the triage.
-- Disable the involved accounts, or restrict their ability to log on remotely.
-- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
-- Investigate the initial attack vector.
-Verify details such as the parent process, URL reputation, and downloaded file details. Additionally, `MpCmdRun` logs this information in the Appdata Temp folder in `MpCmdRun.log`.
-
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
+  attackers could use to reinfect the system.
+- Remove and block malicious artifacts identified during triage.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/command_and_control_remote_file_copy_powershell.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/30"
 maturity = "production"
-updated_date = "2022/04/13"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -25,9 +25,10 @@ PowerShell.
 
 #### Possible investigation steps
 
-- Investigate the process execution chain (parent process tree).
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
 - Identify the user account that performed the action and whether it should perform this kind of action.
-- Consider whether the user needs PowerShell to complete its tasks.
+- Evaluate whether the user needs to use PowerShell to complete tasks.
 - Investigate other alerts associated with the user/host during the past 48 hours.
 - Check the reputation of the domain or IP address used to host the downloaded file.
 - Retrieve the file and determine if it is malicious:
@@ -37,8 +38,8 @@ PowerShell.
       - File and registry access, modification, and creation activities.
       - Service creation and launch activities.
       - Scheduled tasks creation.
-  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
-    - Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+  - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
+    - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
 
 ### False positive analysis
 
@@ -50,12 +51,20 @@ if the Administrator is aware of the activity and the triage has not identified
 - Initiate the incident response process based on the outcome of the triage.
 - Isolate the involved host to prevent further post-compromise behavior.
 - If the triage identified malware, search the environment for additional compromised hosts.
-  - Implement any temporary network rules, procedures, and segmentation required to contain the malware.
-  - Immediately block the IoCs identified.
-- Remove and block malicious artifacts identified on the triage.
-- Disable the involved accounts, or restrict their ability to log on remotely.
-- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
-- Investigate the initial attack vector.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
+  attackers could use to reinfect the system.
+- Remove and block malicious artifacts identified during triage.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 """
 risk_score = 47
 rule_id = "33f306e8-417c-411b-965c-c2812d6d3f4d"

rules/windows/command_and_control_remote_file_copy_scripts.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/29"
 maturity = "production"
-updated_date = "2022/04/13"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -28,16 +28,21 @@ This rule looks for DLLs and executables downloaded using `cscript.exe` or `wscr
 
 #### Possible investigation steps
 
-- Investigate the process execution chain (parent process tree).
-- Retrieve the script file and the executable involved:
-  - Use a sandboxed malware analysis system to perform analysis.
-    - Observe attempts to contact external domains and addresses.
-  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
-    - Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Retrieve the script file and the executable involved and determine if they are malicious:
+  - Use a private sandboxed malware analysis system to perform analysis.
+    - Observe and collect information about the following activities:
+      - Attempts to contact external domains and addresses.
+      - File and registry access, modification, and creation activities.
+      - Service creation and launch activities.
+      - Scheduled tasks creation.
+  - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
+    - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
   - Manually analyze the script to determine if malicious capabilities are present.
 - Investigate whether the potential malware ran successfully, is active on the host, or was stopped by defenses.
-- Investigate other alerts related to the user/host in the last 48 hours.
-- Check for similar behavior in other hosts on the environment.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
 
 ### False positive analysis
 
@@ -49,9 +54,20 @@ This rule looks for DLLs and executables downloaded using `cscript.exe` or `wscr
 - Initiate the incident response process based on the outcome of the triage.
 - Isolate the involved host to prevent further post-compromise behavior.
 - If the triage identified malware, search the environment for additional compromised hosts.
-  - Implement any temporary network rules, procedures, and segmentation required to contain the malware.
-- Remove and block malicious artifacts identified on the triage.
-- Reimage the host operating system and restore compromised files to clean versions.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
+  attackers could use to reinfect the system.
+- Remove and block malicious artifacts identified during triage.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 """
 risk_score = 47
 rule_id = "1d276579-3380-4095-ad38-e596a01bc64f"

rules/windows/command_and_control_sunburst_c2_activity_detected.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/14"
 maturity = "production"
-updated_date = "2022/04/13"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -34,31 +34,43 @@ by imitating the Orion Improvement Program (OIP) protocol behavior.
 
 #### Possible investigation steps
 
-- Investigate the process execution chain (parent process tree).
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
 - Retrieve the executable involved:
-  - Use a sandboxed malware analysis system to perform analysis.
-    - Observe attempts to contact external domains and addresses.
-  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
-    - Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
-  - Manually analyze the executable to determine if malicious capabilities are present.
+  - Use a private sandboxed malware analysis system to perform analysis.
+    - Observe and collect information about the following activities:
+      - Attempts to contact external domains and addresses.
+      - File and registry access, modification, and creation activities.
+      - Service creation and launch activities.
+      - Scheduled tasks creation.
+  - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
+    - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
 - Investigate whether the potential malware ran successfully, is active on the host, or was stopped by defenses.
 - Investigate the network traffic.
-- Investigate other alerts related to the user/host in the last 48 hours.
-- Check for similar behavior in other hosts on the environment.
+- Investigate other alerts associated with the user/host during the past 48 hours.
 
 ### False positive analysis
 
-- False positives are unlikely for this rule.
+- This activity should not happen legitimately. The security team should address any potential benign true positive
+(B-TP), as this configuration can put the environment at risk.
 
 ### Response and remediation
 
 - Initiate the incident response process based on the outcome of the triage.
 - Isolate the involved host to prevent further post-compromise behavior.
 - If the triage identified malware, search the environment for additional compromised hosts.
-  - Implement any temporary network rules, procedures, and segmentation required to contain the malware.
-- Remove and block malicious artifacts identified on the triage.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
+  attackers could use to reinfect the system.
+- Remove and block malicious artifacts identified during triage.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
 - Reimage the host operating system and restore compromised files to clean versions.
-- Upgrade SolarWinds systems to the latest version.
+- Upgrade SolarWinds systems to the latest version to eradicate the chance of reinfection by abusing the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 """
 references = [
     "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",

rules/windows/command_and_control_teamviewer_remote_file_copy.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/02"
 maturity = "production"
-updated_date = "2022/04/13"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -24,7 +24,8 @@ malicious activities. This rule looks for the TeamViewer process creating files
 
 #### Possible investigation steps
 
-- Investigate the process execution chain (parent process tree).
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
 - Contact the user to gather information about who and why was conducting the remote access.
 - Investigate other alerts associated with the user/host during the past 48 hours.
 - Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this
@@ -36,8 +37,8 @@ access.
       - File and registry access, modification, and creation activities.
       - Service creation and launch activities.
       - Scheduled tasks creation.
-  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
-    - Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+  - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
+    - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
 
 ### False positive analysis
 
@@ -49,11 +50,19 @@ remote access and the triage has not identified suspicious or malicious files.
 - Initiate the incident response process based on the outcome of the triage.
 - Isolate the involved host to prevent further post-compromise behavior.
 - If the triage identified malware, search the environment for additional compromised hosts.
-  - Implement any temporary network rules, procedures, and segmentation required to contain the malware.
-  - Immediately block the IoCs identified.
-- Remove and block malicious artifacts identified on the triage.
-- Disable the involved accounts, or restrict their ability to log on remotely.
-- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
+  attackers could use to reinfect the system.
+- Remove and block malicious artifacts identified during triage.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 
 ## Config

rules/windows/credential_access_dcsync_replication_rights.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/02/08"
 maturity = "production"
-updated_date = "2022/04/04"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -44,12 +44,12 @@ It also filters out events that use computer accounts and also Azure AD Connect
 #### Possible investigation steps
 
 - Identify the user account that performed the action and whether it should perform this kind of action.
-- Contact the account owner and confirm whether they are aware of this activity.
+- Contact the account and system owners and confirm whether they are aware of this activity.
 - Investigate other alerts associated with the user/host during the past 48 hours.
 - Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller
 (DC) that received the replication request. This will tell you where the AD replication request came from, and if it
 came from another DC or not.
-- Investigate which credentials were compromised (for example whether all accounts were replicated, or only a specific account).
+- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).
 
 ### False positive analysis 
 
@@ -63,10 +63,16 @@ brute force, etc.).
 
 - Initiate the incident response process based on the outcome of the triage.
 - If specific credentials were compromised:
-  - Reset passwords for affected accounts.
+  - Reset the password for these accounts and other potentially compromised credentials, like email, business systems,
+  and web services.
 - If the entire domain or the `krbtgt` user were compromised:
   - Activate your incident response plan for total Active Directory compromise which should include, but not be limited
-  to, a password reset (twice) of the `krbtgt` user. 
+  to, a password reset (twice) of the `krbtgt` user.
+- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this
+information to scope ways that the attacker could use to regain access to the environment.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/credential_access_disable_kerberos_preauth.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/01/24"
 maturity = "production"
-updated_date = "2022/04/20"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -31,10 +31,10 @@ can be brute-forced offline, similarly to Kerberoasting.
 
 #### Possible investigation steps
 
-- Identify the account that performed the action.
-- Check whether this user should be doing this kind of activity.
-- Investigate if the target account is privileged.
+- Identify the user account that performed the action and whether it should perform this kind of action.
 - Contact the account owner and confirm whether they are aware of this activity.
+- Determine if the target account is sensitive or privileged.
+- Inspect the account activities for suspicious or abnormal behaviors in the alert timeframe.
 
 ### False positive analysis
 
@@ -45,8 +45,13 @@ should map and monitor any potential benign true positives (B-TPs), especially i
 
 - Initiate the incident response process based on the outcome of the triage.
 - Reset the target account's password if there is any risk of TGTs having been retrieved.
-- Reset the password of the origin user if the activity was not recognized by the account owner.
-- Re-enable the preauthentication option for the account.
+- Re-enable the preauthentication option or disable the target account.
+- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/credential_access_dump_registry_hives.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/23"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -27,11 +27,13 @@ compromise of the credentials stored in the host.
 
 #### Possible investigation steps
 
-- Investigate script execution chain (parent process tree).
-- Confirm whether the involved account should perform this kind of operation.
-- Investigate other alerts related to the user/host in the last 48 hours.
-- Investigate if the file was exfiltrated or processed locally by other tools.
-- Scope potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target
+- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for
+prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Identify the user account that performed the action and whether it should perform this kind of action.
+- Contact the account owner and confirm whether they are aware of this activity.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Investigate if the credential material was exfiltrated or processed locally by other tools.
+- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target
 host.
 
 ### False positive analysis
@@ -47,9 +49,15 @@ the user is legitamitely performing this kind of activity.
 
 - Initiate the incident response process based on the outcome of the triage.
 - Isolate the involved hosts to prevent further post-compromise behavior.
-- Scope compromised credentials and disable affected accounts.
-- Reset passwords for potentially compromised user and service accounts (Email, services, CRMs, etc.).
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
 - Reimage the host operating system and restore compromised files to clean versions.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/credential_access_kerberoasting_unusual_process.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/02"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -32,10 +32,20 @@ Kerberos tickets.
 
 #### Possible investigation steps
 
-- Investigate script execution chain (parent process tree).
-- Investigate other alerts related to the host and user in the last 48 hours.
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Investigate other alerts associated with the user/host during the past 48 hours.
 - Check if the Destination IP is related to a Domain Controller.
 - Review event ID 4769 for suspicious ticket requests.
+- Retrieve the process executable and determine if it is malicious:
+  - Use a private sandboxed malware analysis system to perform analysis.
+    - Observe and collect information about the following activities:
+      - Attempts to contact external domains and addresses.
+      - File and registry access, modification, and creation activities.
+      - Service creation and launch activities.
+      - Scheduled tasks creation.
+  - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
+    - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
 
 ### False positive analysis
 
@@ -46,8 +56,23 @@ non-standard port or destination IP address unrelated to Domain controllers can
 ### Response and remediation
 
 - Initiate the incident response process based on the outcome of the triage.
-- Scope possible compromised credentials based on ticket requests.
 - Isolate the involved host to prevent further post-compromise behavior.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+  - Ticket requests can be used to investigate potentially compromised accounts.
+- If the triage identified malware, search the environment for additional compromised hosts.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
+  attackers could use to reinfect the system.
+- Remove and block malicious artifacts identified during triage.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/credential_access_lsass_memdump_handle_access.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/02/16"
 maturity = "production"
-updated_date = "2022/04/04"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -33,21 +33,46 @@ harvested by an adversary using administrative user or SYSTEM privileges to cond
 
 #### Possible investigation steps
 
-- Investigate the process execution chain (parent process tree).
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
 - Investigate other alerts associated with the user/host during the past 48 hours.
-- Validate the correct install path for the process that triggered this detection.
+- Retrieve the process executable and determine if it is malicious:
+  - Use a private sandboxed malware analysis system to perform analysis.
+    - Observe and collect information about the following activities:
+      - Attempts to contact external domains and addresses.
+      - File and registry access, modification, and creation activities.
+      - Service creation and launch activities.
+      - Scheduled tasks creation.
+  - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
+    - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
 
 ### False positive analysis
 
-- There should be very few if any false positives for this rule. However, it may be tripped by antivirus or endpoint detection and response solutions;
-check whether these solutions are installed on the correct paths.
+- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment,
+consider adding exceptions — preferably with a combination of user and command line conditions.
+- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on
+the correct path and signed with the company's valid digital signature.
 
 ### Response and remediation
 
 - Initiate the incident response process based on the outcome of the triage.
 - Isolate the involved host to prevent further post-compromise behavior.
 - Scope compromised credentials and disable the accounts.
-- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
+- If the triage identified malware, search the environment for additional compromised hosts.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
+  attackers could use to reinfect the system.
+- Remove and block malicious artifacts identified during triage.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/credential_access_mimikatz_memssp_default_logs.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/31"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Mimikatz Memssp Log File Detected"
-note = """## Triage and analysis.
+note = """## Triage and analysis
 
 ### Investigating Mimikatz Memssp Log File Detected
 
@@ -26,15 +26,16 @@ account password, running service credentials, and any accounts that logon.
 
 #### Possible investigation steps
 
-- Investigate script execution chain (parent process tree).
-- Investigate other alerts related to the user/host in the last 48 hours.
-- Scope potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target
+- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for
+prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target
 host.
 - Retrieve and inspect the log file contents.
-- By default, the log file is created in the same location as the DLL file.
-- Search for DLL files created in the location, and retrieve any DLLs that are not signed:
+- Search for DLL files created in the same location as the log file, and retrieve unsigned DLLs.
   - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of these files.
     - Search for the existence of these files in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+  - Identify the process that created the DLL using file creation events.
 
 ### False positive analysis
 
@@ -50,11 +51,18 @@ host.
 - Isolate the involved hosts to prevent further post-compromise behavior.
 - If the host is a Domain Controller (DC):
   - Activate your incident response plan for total Active Directory compromise.
-  - Review the permissions of users that can access the DCs.
-- Reset passwords for all compromised accounts.
-- Disable remote login for compromised user accounts.
+  - Review the privileges assigned to users that can access the DCs to ensure that the least privilege principle is
+  being followed and reduce the attack surface.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
 - Reboot the host to remove the injected SSP from memory.
 - Reimage the host operating system or restore compromised files to clean versions.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/credential_access_mimikatz_powershell_module.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/07"
 maturity = "development"
-updated_date = "2022/04/06"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -32,14 +32,16 @@ More information about Mimikatz components and how to detect/prevent them can be
 
 #### Possible investigation steps
 
-- Investigate the process execution chain (parent process tree).
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
 - Contact the account owner and confirm whether they are aware of this activity.
-- Examine PowerShell, Windows, and endpoint detection and response (EDR) logs to understand what was executed in the host.
-- Further examination should include reviewing network logs to identify potential lateral movement.
+- Examine PowerShell (script block logging), Windows and endpoint detection and response (EDR) logs to understand what
+was executed in the host.
 - Investigate other alerts associated with the user/host during the past 48 hours.
 - Use process name, command line, and file hash to search for occurrences on other hosts.
-- Scope potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the
+- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the
 target host.
+  - Examine network and security events in the environment to identify potential lateral movement using compromised credentials.
 
 ### False positive analysis
 
@@ -55,10 +57,17 @@ target host.
 
 - Initiate the incident response process based on the outcome of the triage.
 - Isolate the involved host to prevent further post-compromise behavior.
-- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
 - Validate that cleartext passwords are disabled in memory for use with `WDigest`.
 - Look into preventing access to `LSASS` using capabilities such as LSA protection or antivirus/EDR tools that provide
 this capability.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/credential_access_mod_wdigest_security_provider.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/19"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Modification of WDigest Security Provider"
-note = """## Triage and analysis.
+note = """## Triage and analysis
 
 ### Investigating Modification of WDigest Security Provider
 
@@ -33,16 +33,20 @@ commonly related to the execution of credential dumping tools.
 
 - It is unlikely that the monitored registry key was modified legitimately in newer versions of Windows. Analysts should
 treat any activity triggered from this rule with high priority as it typically represents an active adversary.
-- Investigate the script execution chain (parent process tree).
-- Investigate other alerts related to the user/host in the last 48 hours.
-- Determine if credential dumping tools were run on the host and if any suspicious tool is found:
-  - Retrieve the file.
-  - Use a sandboxed malware analysis system to perform analysis.
-  - Observe attempts to contact external domains and addresses.
-  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
-    - Search for the existence of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
-- Use process name, command line, and file hash to search for other compromised hosts.
-- Scope potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target
+- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for
+prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Determine if credential dumping tools were run on the host, and retrieve and analyze suspicious executables:
+  - Use a private sandboxed malware analysis system to perform analysis.
+    - Observe and collect information about the following activities:
+      - Attempts to contact external domains and addresses.
+      - File and registry access, modification, and creation activities.
+      - Service creation and launch activities.
+      - Scheduled tasks creation.
+  - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
+    - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+- Use process name, command line, and file hash to search for occurrences on other hosts.
+- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target
 host after the registry modification.
 
 ### False positive analysis
@@ -59,10 +63,15 @@ consequently unauthorized access.
 
 - Initiate the incident response process based on the outcome of the triage.
 - Isolate the involved hosts to prevent further post-compromise behavior.
-- Disable user account’s ability to log in remotely.
-- Reset the password for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
 - Reimage the host operating system and restore compromised files to clean versions.
-
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/credential_access_moving_registry_hive_via_smb.toml

@@ -3,7 +3,7 @@ creation_date = "2022/02/16"
 maturity = "production"
 min_stack_comments = "File header bytes field populated until 7.15."
 min_stack_version = "7.15.0"
-updated_date = "2022/04/29"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -32,10 +32,11 @@ file on an SMB share, which may indicate this kind of exfiltration attempt.
 
 #### Possible investigation steps
 
-- Investigate other alerts related to the user/host in the last 48 hours.
-- Confirm whether the account owner is aware of the operation.
-- Examine command line logs for the period when the alert was triggered.
-- Capture the registry file(s) to scope the compromised credentials in an eventual incident response.
+- Investigate other alerts associated with the user/source host during the past 48 hours.
+- Identify the user account that performed the action and whether it should perform this kind of action.
+- Contact the account owner and confirm whether they are aware of this activity.
+- Inspect the source host for suspicious or abnormal behaviors in the alert timeframe.
+- Capture the registry file(s) to determine the extent of the credential compromise in an eventual incident response.
 
 ### False positive analysis
 
@@ -50,9 +51,15 @@ activity and is aware of it.
 
 - Initiate the incident response process based on the outcome of the triage.
 - Isolate the involved hosts to prevent further post-compromise behavior.
-- Scope compromised credentials and disable associated accounts.
-- Reset passwords for compromised accounts.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
 - Reimage the host operating system and restore compromised files to clean versions.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 """
 risk_score = 47
 rule_id = "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494"

rules/windows/credential_access_posh_minidump.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/05"
 maturity = "production"
-updated_date = "2022/03/02"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -15,7 +15,7 @@ index = ["winlogbeat-*", "logs-windows.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "PowerShell MiniDump Script"
-note = """## Triage and analysis.
+note = """## Triage and analysis
 
 ### Investigating PowerShell MiniDump Script
 
@@ -27,11 +27,13 @@ privileged information stored in the process memory.
 
 #### Possible investigation steps
 
-- Examine script content that triggered the detection. 
-- Investigate the script execution chain (parent process tree).
-- Inspect any file or network events from the suspicious PowerShell host process instance.
-- Investigate other alerts related to the user/host in the last 48 hours.
-- Consider whether the user needs PowerShell to complete its tasks.
+- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration
+capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.
+- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for
+prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Examine file or network events from the involved PowerShell process for suspicious behavior.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Evaluate whether the user needs to use PowerShell to complete tasks.
 - Check if the imported function was executed and which process it targeted.
 
 ### False positive analysis
@@ -47,9 +49,16 @@ positives unlikely.
 ### Response and remediation
 
 - Initiate the incident response process based on the outcome of the triage.
-- Quarantine the involved host for forensic investigation, as well as eradication and recovery activities.
-- Configure AppLocker or equivalent software to restrict access to PowerShell for regular users.
-- Reset the password for the user account.
+- Isolate the involved hosts to prevent further post-compromise behavior.
+- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/credential_access_posh_request_ticket.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/01/24"
 maturity = "production"
-updated_date = "2022/02/28"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -29,13 +29,16 @@ perform Kerberoasting.
 
 #### Possible investigation steps
 
-- Retrieve the script contents.
-- Investigate the script execution chain (parent process tree).
+- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration
+capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.
+- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for
+prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
 - Investigate if the script was executed, and if so, which account was targeted.
-- Check whether this user should be doing this kind of activity.
+- Validate if the account has an SPN associated with it.
+- Identify the user account that performed the action and whether it should perform this kind of action.
 - Contact the account owner and confirm whether they are aware of this activity.
 - Check if the script has any other functionality that can be potentially malicious.
-- Investigate other alerts related to the host and user in the last 48 hours.
+- Investigate other alerts associated with the user/host during the past 48 hours.
 - Review event ID [4769](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769)
 related to this account and service name for additional information.
 
@@ -48,8 +51,13 @@ requirements and policy.
 ### Response and remediation
 
 - Initiate the incident response process based on the outcome of the triage.
-- Reset the password of the involved accounts. Priority should be given to privileged accounts.
-- Quarantine the involved host for forensic investigation, as well as eradication and recovery activities.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services. Prioritize privileged accounts.
+- Isolate the involved hosts to prevent further post-compromise behavior.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 """
 references = [
     "https://cobalt.io/blog/kerberoast-attack-techniques",

rules/windows/credential_access_remote_sam_secretsdump.toml

@@ -3,7 +3,7 @@ creation_date = "2022/03/01"
 maturity = "production"
 min_stack_comments = "The field `file.Ext.header_bytes` was not introduced until 7.15"
 min_stack_version = "7.15.0"
-updated_date = "2022/04/29"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -30,16 +30,17 @@ credentials to access other systems in the domain.
 
 #### Possible investigation steps
 
-- Identify the target host role, involved account, and source host.
-- Determine the privileges assigned to any compromised accounts.
-- Investigate other alerts related to the involved user and source host in the last 48 hours.
-- Scope potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target
+- Identify the specifics of the involved assets, such as their role, criticality, and associated users.
+- Identify the user account that performed the action and whether it should perform this kind of action.
+- Determine the privileges of the compromised accounts.
+- Investigate other alerts associated with the user/source host during the past 48 hours.
+- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target
 host.
 
 ### False positive analysis
 
-- False positives for this rule are unlikely. Any activity that triggered the alert and is not inherently malicious must
-be monitored by the security team.
+- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious
+must be monitored by the security team.
 
 ### Related rules
 
@@ -49,9 +50,16 @@ be monitored by the security team.
 
 - Initiate the incident response process based on the outcome of the triage.
 - Isolate the involved hosts to prevent further post-compromise behavior.
-- Scope compromised credentials and disable the accounts.
-- Reset the passwords of compromised accounts.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
 - Determine if other hosts were compromised.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Reimage the host operating system or restore the compromised files to clean versions.
+- Ensure that the machine has the latest security updates and is not running unsupported Windows versions.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/01/27"
 maturity = "production"
-updated_date = "2022/04/13"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -43,7 +43,7 @@ the system.
 - Investigate how the privilege was assigned to the user and who assigned it.
 - Investigate other potentially malicious activity that was performed by the user that assigned the privileges using the
 `user.id` and `winlog.activity_id` fields as a filter during the past 48 hours.
-- Investigate other alerts associated with the involved accounts during the past 48 hours.
+- Investigate other alerts associated with the users/host during the past 48 hours.
 
 ### False positive analysis
 
@@ -56,8 +56,12 @@ environment legitimately, the security team should notify the administrators abo
 
 ### Response and remediation
 
-- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further
-post-compromise behavior.
+- Initiate the incident response process based on the outcome of the triage.
+- Remove the privilege from the account.
+- Review the privileges of the administrator account that performed the action.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/credential_access_spn_attribute_modified.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/02/22"
 maturity = "production"
-updated_date = "2022/04/29"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -40,12 +40,11 @@ write privileges to, making them potentially vulnerable to Kerberoasting.
 
 #### Possible investigation steps
 
-- Identify the account that performed the action.
-- Check whether this user should be doing this kind of activity.
+- Identify the user account that performed the action and whether it should perform this kind of action.
 - Contact the account owner and confirm whether they are aware of this activity.
 - Investigate if the target account is a member of privileged groups (Domain Admins, Enterprise Admins, etc.).
 - Investigate if tickets have been requested for the target account.
-- Investigate other alerts related to the user in the last 48 hours.
+- Investigate other alerts associated with the user/host during the past 48 hours.
 
 ### False positive analysis
 
@@ -58,8 +57,13 @@ them to credential cracking attacks (Kerberoasting, brute force, etc.).
 ### Response and remediation 
 
 - Initiate the incident response process based on the outcome of the triage.
-- Reset the passwords of affected accounts, prioritizing privileged accounts.
-- Quarantine the involved host for forensic investigation, as well as eradication and recovery activities.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services. Prioritize privileged accounts.
+- Isolate the involved hosts to prevent further post-compromise behavior.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/12/25"
 maturity = "production"
-updated_date = "2022/04/06"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -26,8 +26,12 @@ needed to extract these hashes and potentially conduct lateral movement.
 
 #### Possible investigation steps
 
+- Identify the user account that performed the action and whether it should perform this kind of action.
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Investigate other alerts associated with the user/host during the past 48 hours.
 - Determine if a volume shadow copy was recently created on this endpoint.
-- Review priviledges of the end user as this requires administrative access.
+- Review privileges of the end user as this requires administrative access.
 - Verify if the ntds.dit file was successfully copied and determine its copy destination.
 - Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.
 - Investigate recent deletions of volume shadow copies.
@@ -44,12 +48,19 @@ needed to extract these hashes and potentially conduct lateral movement.
 ### Response and remediation 
 
 - Initiate the incident response process based on the outcome of the triage.
-- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
 - If the entire domain or the `krbtgt` user was compromised:
   - Activate your incident response plan for total Active Directory compromise which should include, but not be limited
   to, a password reset (twice) of the `krbtgt` user.
 - Locate and remove static files copied from volume shadow copies.
 - Command-Line tool mklink should require administrative access by default unless in developer mode.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/defense_evasion_amsienable_key_mod.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/06/01"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -29,16 +29,20 @@ This rule monitors the modifications to the Software\\Microsoft\\Windows Script\
 
 #### Possible investigation steps
 
-- Identify the user that performed the action.
-- Check whether this user should be doing this kind of activity.
-- Investigate program execution chain (parent process tree).
-- Investigate other alerts related to the user/host in the last 48 hours.
+- Identify the user account that performed the action and whether it should perform this kind of action.
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Investigate other alerts associated with the user/host during the past 48 hours.
 - Investigate the execution of scripts and macros after the registry modification.
-- Retrieve script/office files:
-  - Use a sandboxed malware analysis system to perform analysis.
-    - Observe attempts to contact external domains and addresses.
-  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
-    - Search for the existence of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+- Retrieve scripts or Microsoft Office files and determine if they are malicious:
+  - Use a private sandboxed malware analysis system to perform analysis.
+    - Observe and collect information about the following activities:
+      - Attempts to contact external domains and addresses.
+      - File and registry access, modification, and creation activities.
+      - Service creation and launch activities.
+      - Scheduled tasks creation.
+  - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
+    - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
 - Use process name, command line, and file hash to search for occurrences on other hosts.
 
 ### False positive analysis
@@ -54,9 +58,19 @@ monitored by the security team, as these modifications expose the host to malwar
 
 - Initiate the incident response process based on the outcome of the triage.
 - Isolate the involved hosts to prevent further post-compromise behavior.
-- If malware was found, implement temporary network rules, procedures, and segmentation required to contain it.
+- If the triage identified malware, search the environment for additional compromised hosts.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
+  attackers could use to reinfect the system.
+- Remove and block malicious artifacts identified during triage.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
 - Delete or set the key to its default value.
-
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/07/20"
 maturity = "production"
-updated_date = "2022/04/13"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -26,20 +26,21 @@ was observed in 2018 where Trickbot incorporated mechanisms to disable Windows D
 
 #### Possible investigation steps
 
-- Investigate the process execution chain (parent process tree).
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
 - Identify the user account that performed the action and whether it should perform this kind of action.
 - Contact the account owner and confirm whether they are aware of this activity.
 - Examine the exclusion in order to determine the intent behind it.
-- Check for similar behavior in other hosts on the environment.
-- If the exclusion specifies a suspicious file, retrieve it and determine if it is malicious:
+- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
+- If the exclusion specifies a suspicious file or path, retrieve the file(s) and determine if malicious:
   - Use a private sandboxed malware analysis system to perform analysis.
     - Observe and collect information about the following activities:
       - Attempts to contact external domains and addresses.
       - File and registry access, modification, and creation activities.
       - Service creation and launch activities.
       - Scheduled tasks creation.
-  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
-    - Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+  - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
+    - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
 
 ### False positive analysis
 
@@ -57,10 +58,18 @@ legitimate reasons for exclusions, so it's important to gain context.
 - Initiate the incident response process based on the outcome of the triage.
 - Isolate the involved host to prevent further post-compromise behavior.
 - If the triage identified malware, search the environment for additional compromised hosts.
-  - Implement any temporary network rules, procedures, and segmentation required to contain the malware.
-    - Immediately block the identified indicators of compromise (IoCs).
-    - Remove and block malicious artifacts identified on the triage.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
+  attackers could use to reinfect the system.
+- Remove and block malicious artifacts identified during triage.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
 - Exclusion lists for antimalware capabilities should always be routinely monitored for review.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/01/31"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -26,11 +26,11 @@ processes, giving defenders visibility of PowerShell scripts and sequences of ex
 
 #### Possible investigation steps
 
-- Identify the user account which performed the action.
-- Check whether the account should perform this kind of action.
-- Investigate the script execution chain (parent process tree).
-- Investigate other alerts related to the user/host in the last 48 hours.
-- Check whether it makes sense for the user to use PowerShell to complete its tasks.
+- Identify the user account that performed the action and whether it should perform this kind of action.
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Check whether it makes sense for the user to use PowerShell to complete tasks.
 - Investigate if PowerShell scripts were run after logging was disabled.
 
 ### False positive analysis
@@ -43,16 +43,21 @@ processes, giving defenders visibility of PowerShell scripts and sequences of ex
 - PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889
 - PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43
 - Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d
-- PowerShell Reflection Assembly Load - e26f042e-c590-4e82-8e05-41e81bd822ad
+- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad
 - PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a
 - PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70
 
 ### Response and remediation
 
 - Initiate the incident response process based on the outcome of the triage.
-- Quarantine the involved host to prevent further post-compromise behavior.
-- Review the implicated user account's privileges.
-- Configure AppLocker or equivalent software to restrict access to PowerShell for regular users.
+- Isolate the involved hosts to prevent further post-compromise behavior.
+- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.
+- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -21,31 +21,32 @@ note = """## Triage and analysis
 The Windows Defender Firewall is a native component which provides host-based, two-way network traffic filtering for a
 device, and blocks unauthorized network traffic flowing into or out of the local device.
 
-Attackers can disable firewall rules which are intended to prevent lateral movement and command and control traffic to
-enable their operations.
+Attackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.
 
-This rule identifies patterns related to disabling firewall rules using the `netsh.exe` utility.
+This rule identifies patterns related to disabling the Windows firewall or its rules using the `netsh.exe` utility.
 
 #### Possible investigation steps
 
-- Identify the user account which performed the action and whether it should perform this kind of action.
+- Identify the user account that performed the action and whether it should perform this kind of action.
 - Contact the user to check if they are aware of the operation.
-- Investigate the script execution chain (parent process tree).
-- Investigate other alerts related to the user/host in the last 48 hours.
-- Analyze the executed command to determine what it allowed.
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Investigate other alerts associated with the user/host during the past 48 hours.
 
 ### False positive analysis
 
-- This mechanism can be used legitimately. Check whether the user is legitimately performing this kind of activity.
-- Assess the need to disable the modification of the rule, and whether these actions expose the environment to
-unnecessary risks.
+- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing
+troubleshooting.
+- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.
 
 ### Response and remediation
 
 - Initiate the incident response process based on the outcome of the triage.
-- Quarantine the involved host to prevent further post-compromise behavior.
-- Evaluate exceptions that can be added to the firewall rule and re-enable the rule.
-- Review the implicated account's privileges.
+- Isolate the involved hosts to prevent further post-compromise behavior.
+- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/10/13"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -29,13 +29,15 @@ This rule detects the creation of a Windows Firewall inbound rule that would all
 
 #### Possible investigation steps
 
-- Identify the user account which performed the action and whether it should perform this kind of action.
+- Identify the user account that performed the action and whether it should perform this kind of action.
 - Contact the user to check if they are aware of the operation.
-- Investigate the script execution chain (parent process tree).
-- Investigate other alerts related to the user/host in the last 48 hours.
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Investigate other alerts associated with the user/host during the past 48 hours.
 - Check whether it makes sense to enable RDP to this host, given its role in the environment.
 - Check if the host is directly exposed to the internet.
 - Check whether privileged accounts accessed the host shortly after the modification.
+- Review network events within a short timespan of this alert for incoming RDP connection attempts.
 
 ### False positive analysis
 
@@ -48,8 +50,11 @@ of it, whether RDP should be open, and whether the action exposes the environmen
 - If RDP is needed, make sure to secure it:
   - Allowlist RDP traffic to specific trusted hosts.
   - Restrict RDP logins to authorized non-administrator accounts, where possible.
-- Quarantine the implicated host to prevent further post-compromise behavior.
-- Review the implicated account's privileges.
+- Isolate the involved hosts to prevent further post-compromise behavior.
+- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/defense_evasion_ms_office_suspicious_regmod.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/01/12"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -41,10 +41,21 @@ This rule looks for registry changes affecting the conditions above.
 
 #### Possible investigation steps
 
-- Identify the user that performed the operation.
-- Verify whether malicious macros were executed after the registry change.
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Identify the user account that performed the action and whether it should perform this kind of action.
 - Contact the user and check if the change was done manually.
-- Investigate other alerts associated with the user during the past 48 hours.
+- Verify whether malicious macros were executed after the registry change.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Retrieve recently executed Office documents and determine if they are malicious:
+  - Use a private sandboxed malware analysis system to perform analysis.
+    - Observe and collect information about the following activities:
+      - Attempts to contact external domains and addresses.
+      - File and registry access, modification, and creation activities.
+      - Service creation and launch activities.
+      - Scheduled tasks creation.
+  - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
+    - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
 
 ### False positive analysis
 
@@ -55,8 +66,16 @@ positives (B-TPs), as this configuration can put the user and the domain at risk
 
 - Initiate the incident response process based on the outcome of the triage.
 - Reset the registry key value.
-- Isolate the host if malicious code was executed and reset the involved account's passwords.
+- Isolate the involved host to prevent further post-compromise behavior.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
 - Explore using GPOs to manage security settings for Microsoft Office macros.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 
 ## Config

rules/windows/defense_evasion_posh_process_injection.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/14"
 maturity = "production"
-updated_date = "2022/03/15"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -15,7 +15,7 @@ index = ["winlogbeat-*", "logs-windows.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Potential Process Injection via PowerShell"
-note = """## Triage and analysis.
+note = """## Triage and analysis
 
 ### Investigating Potential Process Injection via PowerShell
 
@@ -30,11 +30,13 @@ payloads directly into the memory without touching the disk to circumvent file-b
 
 #### Possible investigation steps
 
-- Examine script content that triggered the detection. 
-- Investigate the script execution chain (parent process tree).
-- Inspect any file or network events from the suspicious PowerShell host process instance.
-- Investigate other alerts related to the user/host in the last 48 hours.
-- Consider whether the user needs PowerShell to complete its tasks.
+- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration
+capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.
+- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for
+prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Examine file or network events from the involved PowerShell process for suspicious behavior.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Evaluate whether the user needs to use PowerShell to complete tasks.
 - Check if the imported function was executed and which process it targeted.
 - Check if the injected code can be retrieved (hardcoded in the script or on command line logs).
 
@@ -49,9 +51,16 @@ payloads directly into the memory without touching the disk to circumvent file-b
 ### Response and remediation
 
 - Initiate the incident response process based on the outcome of the triage.
-- Quarantine the involved host for forensic investigation, as well as eradication and recovery activities.
-- Configure AppLocker or equivalent software to restrict access to PowerShell for regular users.
-- Reset the password for the user account.
+- Isolate the involved hosts to prevent further post-compromise behavior.
+- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/discovery_adfind_command_activity.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/10/19"
 maturity = "production"
-updated_date = "2022/04/06"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -27,7 +27,8 @@ this tool being adopted by ransomware and criminal groups and used in compromise
 
 #### Possible investigation steps
 
-- Investigate the process execution chain (parent process tree).
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
 - Identify the user account that performed the action and whether it should perform this kind of action.
 - Examine the command line to determine what information was retrieved by the tool.
 - Contact the account owner and confirm whether they are aware of this activity.
@@ -35,9 +36,9 @@ this tool being adopted by ransomware and criminal groups and used in compromise
 
 ### False positive analysis
 
-- This rule has a high chance to produce false positives as it is a legitimate tool used by network administrators. One
-option could be allowlisting specific users or groups who use the tool as part of their daily responsibilities. This can
-be done by leveraging the exception workflow in the Kibana Security App or Elasticsearch API to tune this rule to your environment.
+- This rule has a high chance to produce false positives as it is a legitimate tool used by network administrators.
+- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination
+of user and command line conditions.
 - Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in
 isolation, so reviewing previous logs/activity from impacted machines can be very telling.
 
@@ -51,8 +52,14 @@ isolation, so reviewing previous logs/activity from impacted machines can be ver
 
 - Initiate the incident response process based on the outcome of the triage.
 - Isolate the involved host to prevent further post-compromise behavior.
-- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
-- Determine the initial infection vector.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/discovery_posh_suspicious_api_functions.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/13"
 maturity = "production"
-updated_date = "2022/03/02"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ index = ["winlogbeat-*", "logs-windows.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "PowerShell Suspicious Discovery Related Windows API Functions"
-note = """## Triage and analysis.
+note = """## Triage and analysis
 
 ### Investigating PowerShell Suspicious Discovery Related Windows API Functions
 
@@ -28,12 +28,14 @@ like PSReflect or Get-ProcAddress Cmdlet.
 
 #### Possible investigation steps
 
-- Examine script content that triggered the detection. 
-- Investigate the script execution chain (parent process tree).
-- Inspect any file or network events from the suspicious PowerShell host process instance.
-- Investigate other alerts related to the user/host in the last 48 hours.
-- Consider whether the user needs PowerShell to complete its tasks.
-- Check if the imported function was executed.
+- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration
+capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.
+- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for
+prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Examine file or network events from the involved PowerShell process for suspicious behavior.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Evaluate whether the user needs to use PowerShell to complete tasks.
+- Check for additional PowerShell and command-line logs that indicate that imported functions were run.
 
 ### False positive analysis
 
@@ -48,8 +50,13 @@ However, analysts should keep in mind that this is not a common way of getting i
 ### Response and remediation
 
 - Initiate the incident response process based on the outcome of the triage.
-- Quarantine the involved host to prevent further post-compromise behavior.
-- Configure AppLocker or equivalent software to restrict access to PowerShell for regular users.
+- Isolate the involved hosts to prevent further post-compromise behavior.
+- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/execution_posh_portable_executable.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/15"
 maturity = "production"
-updated_date = "2022/03/02"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-windows.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Suspicious Portable Executable Encoded in Powershell Script"
-note = """## Triage and analysis.
+note = """## Triage and analysis
 
 ### Investigating Suspicious Portable Executable Encoded in Powershell Script
 
@@ -26,12 +26,21 @@ bypassing file-based security protections. These executables are generally base6
 
 #### Possible investigation steps
 
-- Examine script content that triggered the detection. 
-- Investigate the script execution chain (parent process tree).
-- Inspect any file or network events from the suspicious PowerShell host process instance.
-- Investigate other alerts related to the user/host in the last 48 hours.
-- Consider whether the user needs PowerShell to complete its tasks.
-- Retrieve the script and execute it in a sandbox or controlled environment.
+- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration
+capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.
+- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for
+prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Evaluate whether the user needs to use PowerShell to complete tasks.
+- Retrieve the script and determine if it is malicious:
+  - Use a private sandboxed malware analysis system to perform analysis.
+    - Observe and collect information about the following activities:
+      - Attempts to contact external domains and addresses.
+      - File and registry access, modification, and creation activities.
+      - Service creation and launch activities.
+      - Scheduled tasks creation.
+  - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
+    - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
 
 ### False positive analysis
 
@@ -39,15 +48,28 @@ bypassing file-based security protections. These executables are generally base6
 
 ### Related rules
 
-- PowerShell Reflection Assembly Load - e26f042e-c590-4e82-8e05-41e81bd822ad
+- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad
 - PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a
 - PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe
 
 ### Response and remediation
 
 - Initiate the incident response process based on the outcome of the triage.
-- Quarantine the involved host to prevent further post-compromise behavior.
-- Configure AppLocker or equivalent software to restrict access to PowerShell for regular users.
+- Isolate the involved hosts to prevent further post-compromise behavior.
+- If the triage identified malware, search the environment for additional compromised hosts.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
+  attackers could use to reinfect the system.
+- Remove and block malicious artifacts identified during triage.
+- Reimage the host operating system or restore the compromised files to clean versions.
+- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/execution_posh_psreflect.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/15"
 maturity = "production"
-updated_date = "2022/03/02"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -33,11 +33,24 @@ PowerShell, enabling defenders to discover tools being dropped in the environmen
 
 #### Possible investigation steps
 
+- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration
+capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The
+script content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id`
+for filtering).
+- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for
+prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
 - Check for additional PowerShell and command-line logs that indicate that imported functions were run.
-- Gather the script content that may be split into multiple script blocks (the field `powershell.file.script_block_id`
-can be used for filtering), and identify its capabilities.
-- Investigate other alerts related to the user/host in the last 48 hours.
-- Consider whether the user needs PowerShell to complete its tasks.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Evaluate whether the user needs to use PowerShell to complete tasks.
+- Retrieve the script and determine if it is malicious:
+  - Use a private sandboxed malware analysis system to perform analysis.
+    - Observe and collect information about the following activities:
+      - Attempts to contact external domains and addresses.
+      - File and registry access, modification, and creation activities.
+      - Service creation and launch activities.
+      - Scheduled tasks creation.
+  - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
+    - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
 
 ### False positive analysis
 
@@ -49,15 +62,27 @@ can be used for filtering), and identify its capabilities.
 - PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889
 - PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43
 - Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d
-- PowerShell Reflection Assembly Load - e26f042e-c590-4e82-8e05-41e81bd822ad
+- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad
 - PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a
 - PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70
 
 ### Response and remediation
 
 - Initiate the incident response process based on the outcome of the triage.
-- Quarantine the involved host to prevent further post-compromise behavior.
-- Configure AppLocker or equivalent software to restrict access to PowerShell for regular users.
+- Isolate the involved hosts to prevent further post-compromise behavior.
+- If the triage identified malware, search the environment for additional compromised hosts.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
+  attackers could use to reinfect the system.
+- Remove and block malicious artifacts identified during triage.
+- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/impact_backup_file_deletion.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/01"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -32,10 +32,12 @@ Veritas or Veeam backups.
 
 #### Possible investigation steps
 
-- Identify the process (location, name, etc.) and the user that performed this operation.
-- Check whether the account is authorized to perform this operation.
-- Confirm whether the account owner is aware of the operation.
-- Investigate other alerts associated with the user during the past 48 hours.
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Identify the user account that performed the action and whether it should perform this kind of action.
+- Contact the account owner and confirm whether they are aware of this activity.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Check if any files on the host machine have been encrypted.
 
 ### False positive analysis
 
@@ -52,9 +54,16 @@ not from the backup suite. Exceptions can be added for specific accounts and exe
 ### Response and remediation
 
 - Initiate the incident response process based on the outcome of the triage.
-- Reset the password of the involved accounts.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.
 - Perform data recovery locally or restore the backups from replicated copies (Cloud, other servers, etc.).
-
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2022/04/13"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -26,11 +26,12 @@ This rule identifies the deletion of the backup catalog using the `wbadmin.exe`
 
 #### Possible investigation steps
 
-- Investigate the script execution chain (parent process tree).
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
 - Identify the user account that performed the action and whether it should perform this kind of action.
-- Confirm whether the account owner is aware of the operation.
-- Investigate other alerts related to the user/host in the last 48 hours.
-- Check for similar behavior in other hosts on the environment.
+- Contact the account owner and confirm whether they are aware of this activity.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
 - Check if any files on the host machine have been encrypted.
 
 ### False positive analysis
@@ -47,12 +48,17 @@ This rule identifies the deletion of the backup catalog using the `wbadmin.exe`
 ### Response and remediation
 
 - Initiate the incident response process based on the outcome of the triage.
-- Isolate the involved host to prevent destructive behavior, which is commonly associated with this activity.
-- Reset the password of the involved accounts.
+- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
 - If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look
 for ransomware preparation and execution activities.
 - If any backups were affected:
   - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/impact_modification_of_boot_config.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/03/16"
 maturity = "production"
-updated_date = "2022/04/13"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -31,11 +31,12 @@ These are common steps in destructive attacks by adversaries leveraging ransomwa
 
 #### Possible investigation steps
 
-- Investigate the script execution chain (parent process tree).
+- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for
+prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
 - Identify the user account that performed the action and whether it should perform this kind of action.
-- Confirm whether the account owner is aware of the operation.
-- Investigate other alerts related to the user/host in the last 48 hours.
-- Check for similar behavior in other hosts on the environment.
+- Contact the account owner and confirm whether they are aware of this activity.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
 - Check if any files on the host machine have been encrypted.
 
 ### False positive analysis
@@ -50,10 +51,15 @@ machine to boot for troubleshooting or data recovery purposes.
 ### Response and remediation
 
 - Initiate the incident response process based on the outcome of the triage.
-- Isolate the involved host to prevent destructive behavior, which is commonly associated with this activity.
-- Reset the password of the involved accounts.
+- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
 - If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look
 for ransomware preparation and execution activities.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/impact_stop_process_service_threshold.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/03"
 maturity = "production"
-updated_date = "2022/04/13"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -27,11 +27,11 @@ host within a short time period.
 
 #### Possible investigation steps
 
-- Investigate the script execution chain (parent process tree).
+- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for
+prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
 - Identify the user account that performed the action and whether it should perform this kind of action.
-- Confirm whether the account owner is aware of the operation, and why it was performed.
-- Investigate other alerts related to the user/host in the last 48 hours.
-- Check for similar behavior in other hosts on the environment.
+- Contact the account owner and confirm whether they are aware of this activity.
+- Investigate other alerts associated with the user/host during the past 48 hours.
 - Check if any files on the host machine have been encrypted.
 
 ### False positive analysis
@@ -42,10 +42,17 @@ host within a short time period.
 
 - Initiate the incident response process based on the outcome of the triage.
 - Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.
-- Reset the password of the involved accounts.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
 - Reimage the host operating system or restore it to the operational state.
 - If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look
 for ransomware preparation and execution activities.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 """
 risk_score = 47
 rule_id = "035889c4-2686-4583-a7df-67f89c292f2c"

rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Volume Shadow Copy Deleted or Resized via VssAdmin"
-note = """## Triage and analysis.
+note = """## Triage and analysis
 
 ### Investigating Volume Shadow Copy Deleted or Resized via VssAdmin
 
@@ -29,17 +29,21 @@ This rule monitors the execution of Vssadmin.exe to either delete or resize shad
 
 #### Possible investigation steps
 
-- Investigate the program execution chain (parent process tree).
-- Check whether the account is authorized to perform this operation.
-- Confirm whether the account owner is aware of the operation.
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Identify the user account that performed the action and whether it should perform this kind of action.
+- Contact the account owner and confirm whether they are aware of this activity.
 - In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.
-- Investigate other alerts related to the user/host in the last 48 hours.
-- If unsigned files are found on the process tree:
-  - Capture copies of the files.
-  - Use a sandboxed malware analysis system to perform analysis.
-    - Observe attempts to contact external domains and addresses.
-  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
-    - Search for the existence of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:
+  - Use a private sandboxed malware analysis system to perform analysis.
+    - Observe and collect information about the following activities:
+      - Attempts to contact external domains and addresses.
+      - File and registry access, modification, and creation activities.
+      - Service creation and launch activities.
+      - Scheduled tasks creation.
+  - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
+    - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
 - Use process name, command line, and file hash to search for occurrences in other hosts.
 - Check if any files on the host machine have been encrypted.
 
@@ -57,12 +61,25 @@ environment, consider adding exceptions — preferably with a combination of use
 ### Response and remediation
 
 - Initiate the incident response process based on the outcome of the triage.
+- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.
 - Priority should be given due to the advanced stage of this activity on the attack.
-- If malware was found, isolate the involved hosts to prevent the infection of other hosts.
-- Disable the involved accounts, or restrict their ability to log on remotely.
+- If the triage identified malware, search the environment for additional compromised hosts.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
+  attackers could use to reinfect the system.
+- Remove and block malicious artifacts identified during triage.
 - If data was encrypted, deleted, or modified, activate your data recovery plan.
-- Reset the password of the involved accounts.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
 - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 
 ## Config

rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/07/19"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -32,14 +32,17 @@ copy objects, and delete them.
 
 - Investigate the program execution chain (parent process tree).
 - Check whether the account is authorized to perform this operation.
-- Confirm whether the account owner is aware of the operation.
-- Investigate other alerts related to the user/host in the last 48 hours.
-- If unsigned files are found on the process tree:
-  - Capture copies of the files.
-  - Use a sandboxed malware analysis system to perform analysis.
-    - Observe attempts of contacting external domains and addresses.
-  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
-    - Search for the existence of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+- Contact the account owner and confirm whether they are aware of this activity.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:
+  - Use a private sandboxed malware analysis system to perform analysis.
+    - Observe and collect information about the following activities:
+      - Attempts to contact external domains and addresses.
+      - File and registry access, modification, and creation activities.
+      - Service creation and launch activities.
+      - Scheduled tasks creation.
+  - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
+    - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
 - Use process name, command line, and file hash to search for occurrences in other hosts.
 - Check if any files on the host machine have been encrypted.
 
@@ -57,12 +60,25 @@ environment, consider adding exceptions — preferably with a combination of use
 ### Response and remediation
 
 - Initiate the incident response process based on the outcome of the triage.
+- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.
 - Priority should be given due to the advanced stage of this activity on the attack.
-- If malware was found, isolate the involved hosts to prevent the infection of other hosts.
-- Disable the involved accounts, or restrict their ability to log on remotely.
+- If the triage identified malware, search the environment for additional compromised hosts.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
+  attackers could use to reinfect the system.
+- Remove and block malicious artifacts identified during triage.
 - If data was encrypted, deleted, or modified, activate your data recovery plan.
-- Reset the password of the involved accounts.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
 - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 
 ## Config

rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -31,15 +31,18 @@ This rule monitors the execution of `wmic.exe` to interact with VSS via the `sha
 
 - Investigate the program execution chain (parent process tree).
 - Check whether the account is authorized to perform this operation.
-- Confirm whether the account owner is aware of the operation.
+- Contact the account owner and confirm whether they are aware of this activity.
 - In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.
-- Investigate other alerts related to the user/host in the last 48 hours.
-- If unsigned files are found on the process tree:
-  - Capture copies of the files.
-  - Use a sandboxed malware analysis system to perform analysis.
-    - Observe attempts of contacting external domains and addresses.
-  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
-    - Search for the existence of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:
+  - Use a private sandboxed malware analysis system to perform analysis.
+    - Observe and collect information about the following activities:
+      - Attempts to contact external domains and addresses.
+      - File and registry access, modification, and creation activities.
+      - Service creation and launch activities.
+      - Scheduled tasks creation.
+  - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
+    - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
 - Use process name, command line, and file hash to search for occurrences in other hosts.
 - Check if any files on the host machine have been encrypted.
 
@@ -58,11 +61,24 @@ environment, consider adding exceptions — preferably with a combination of use
 
 - Initiate the incident response process based on the outcome of the triage.
 - Priority should be given due to the advanced stage of this activity on the attack.
-- If malware was found, isolate the involved hosts to prevent the infection of other hosts.
-- Disable the involved accounts, or restrict their ability to log on remotely.
+- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.
+- If the triage identified malware, search the environment for additional compromised hosts.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
+  attackers could use to reinfect the system.
+- Remove and block malicious artifacts identified during triage.
 - If data was encrypted, deleted, or modified, activate your data recovery plan.
-- Reset the password of the involved accounts.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
 - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 
 ## Config

rules/windows/initial_access_script_executing_powershell.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -28,16 +28,20 @@ This rule looks for the spawn of the `powershell.exe` process with `cscript.exe`
 
 #### Possible investigation steps
 
-- Investigate the process execution chain (parent process tree).
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
 - Investigate commands executed by the spawned PowerShell process.
-- Retrieve the script file(s) involved:
-  - Use a sandboxed malware analysis system to perform analysis.
-    - Observe attempts to contact external domains and addresses.
-  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
-    - Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
-  - Manually analyze the script to determine if malicious capabilities are present.
+- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:
+  - Use a private sandboxed malware analysis system to perform analysis.
+    - Observe and collect information about the following activities:
+      - Attempts to contact external domains and addresses.
+      - File and registry access, modification, and creation activities.
+      - Service creation and launch activities.
+      - Scheduled tasks creation.
+  - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
+    - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
 - Determine how the script file was delivered (email attachment, dropped by other processes, etc.).
-- Investigate other alerts related to the user/host in the last 48 hours.
+- Investigate other alerts associated with the user/host during the past 48 hours.
 
 ### False positive analysis
 
@@ -49,14 +53,23 @@ This rule looks for the spawn of the `powershell.exe` process with `cscript.exe`
 - Initiate the incident response process based on the outcome of the triage.
 - Isolate the involved host to prevent further post-compromise behavior.
 - If the triage identified malware, search the environment for additional compromised hosts.
-  - Implement any temporary network rules, procedures, and segmentation required to contain the malware.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
   - Immediately block the identified indicators of compromise (IoCs).
-- Remove and block malicious artifacts identified on the triage.
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
+  attackers could use to reinfect the system.
+- Remove and block malicious artifacts identified during triage.
 - If the malicious file was delivered via phishing:
   - Block the email sender from sending future emails.
   - Block the malicious web pages.
   - Remove emails from the sender from mailboxes.
+  - Consider improvements to the security awareness program.
 - Reimage the host operating system and restore compromised files to clean versions.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/lateral_movement_rdp_enabled_registry.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/25"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -29,10 +29,11 @@ desktop connections are enabled. Attackers can abuse remote registry, use psexec
 
 #### Possible investigation steps
 
-- Identify the user account which performed the action and whether it should perform this kind of action.
+- Identify the user account that performed the action and whether it should perform this kind of action.
 - Contact the user to check if they are aware of the operation.
-- Investigate the script execution chain (parent process tree).
-- Investigate other alerts related to the user/host in the last 48 hours.
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Investigate other alerts associated with the user/host during the past 48 hours.
 - Check whether it makes sense to enable RDP to this host, given its role in the environment.
 - Check if the host is directly exposed to the internet.
 - Check whether privileged accounts accessed the host shortly after the modification.
@@ -40,8 +41,8 @@ desktop connections are enabled. Attackers can abuse remote registry, use psexec
 
 ### False positive analysis
 
-- This mechanism can be used legitimately. Check whether the user should be performing this kind of activity, whether they are aware
-of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.
+- This mechanism can be used legitimately. Check whether the user should be performing this kind of activity, whether
+they are aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.
 
 ### Response and remediation
 
@@ -49,8 +50,11 @@ of it, whether RDP should be open, and whether the action exposes the environmen
 - If RDP is needed, make sure to secure it using firewall rules:
   - Allowlist RDP traffic to specific trusted hosts.
   - Restrict RDP logins to authorized non-administrator accounts, where possible.
-- Quarantine the involved host to prevent further post-compromise behavior.
-- Review the implicated account's privileges.
+- Isolate the involved hosts to prevent further post-compromise behavior.
+- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/persistence_adobe_hijack_persistence.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2022/04/13"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -20,10 +20,11 @@ whenever Adobe Acrobat Reader is executed.
 
 #### Possible investigation steps
 
-- Investigate the process execution chain (parent process tree).
-- Identify the user account that performed the action.
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Identify the user account that performed the action and whether it should perform this kind of action.
 - Investigate other alerts associated with the user/host during the past 48 hours.
-- Check for similar behavior in other hosts on the environment.
+- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
 - Retrieve the file and determine if it is malicious:
   - Use a private sandboxed malware analysis system to perform analysis.
     - Observe and collect information about the following activities:
@@ -31,8 +32,8 @@ whenever Adobe Acrobat Reader is executed.
       - File and registry access, modification, and creation activities.
       - Service creation and launch activities.
       - Scheduled tasks creation.
-  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
-    - Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+  - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
+    - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
 
 ### False positive analysis
 
@@ -43,11 +44,20 @@ whenever Adobe Acrobat Reader is executed.
 - Initiate the incident response process based on the outcome of the triage.
 - Isolate the involved host to prevent further post-compromise behavior.
 - If the triage identified malware, search the environment for additional compromised hosts.
-  - Implement any temporary network rules, procedures, and segmentation required to contain the malware.
-  - Immediately block the IoCs identified.
-- Remove and block malicious artifacts identified on the triage.
-- Disable the involved accounts, or restrict their ability to log on remotely.
-- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
+  attackers could use to reinfect the system.
+- Remove and block malicious artifacts identified during triage.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 
 ## Config

rules/windows/persistence_evasion_hidden_local_account_creation.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/18"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -26,9 +26,10 @@ This rule uses registry events to identify the creation of local hidden accounts
 
 #### Possible investigation steps
 
-- Identify the user account which performed the action and whether it should perform this kind of action.
-- Investigate the script execution chain (parent process tree).
-- Investigate other alerts related to the user/host in the last 48 hours.
+- Identify the user account that performed the action and whether it should perform this kind of action.
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for
+prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Investigate other alerts associated with the user/host during the past 48 hours.
 
 ### False positive analysis
 
@@ -37,9 +38,12 @@ This rule uses registry events to identify the creation of local hidden accounts
 ### Response and remediation
 
 - Initiate the incident response process based on the outcome of the triage.
-- Quarantine the involved host to prevent further post-compromise behavior.
+- Isolate the involved hosts to prevent further post-compromise behavior.
 - Delete the hidden account.
-- Review the privileges of the involved accounts.
+- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/03/15"
 maturity = "production"
-updated_date = "2022/04/06"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -25,11 +25,12 @@ an attacker.
 
 #### Possible investigation steps
 
-- Investigate the process execution chain (parent process tree).
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
 - Review the source process and related file tied to the Windows Registry entry.
 - Validate the activity is not related to planned patches, updates, network administrator activity or legitimate software
 installations.
-- Determine if activity is unique by validating if other machines in the same organization have similar entries.
+- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
 - Retrieve the file and determine if it is malicious:
   - Use a private sandboxed malware analysis system to perform analysis.
     - Observe and collect information about the following activities:
@@ -37,8 +38,8 @@ installations.
       - File and registry access, modification, and creation activities.
       - Service creation and launch activities.
       - Scheduled tasks creation.
-  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
-    - Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+  - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
+    - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
 
 ### False positive analysis
 
@@ -55,9 +56,16 @@ it should be verified that this activity is not benign.
 
 - Initiate the incident response process based on the outcome of the triage.
 - Isolate the involved host to prevent further post-compromise behavior.
-- Since this activity is considered post-exploitation behavior, it's important to understand how the behavior was first
-initialized such as through a macro-enabled document that was attached in a phishing email. After understanding the source
-of the attack, you can use this information to search for similar indicators on other machines in the same environment.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- If the malicious file was delivered via phishing:
+  - Block the email sender from sending future emails.
+  - Block the malicious web pages.
+  - Remove emails from the sender from mailboxes.
+  - Consider improvements to the security awareness program.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 """
 risk_score = 73
 rule_id = "c8b150f0-0164-475b-a75e-74b47800a9ff"

rules/windows/persistence_priv_escalation_via_accessibility_features.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2022/04/13"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -31,11 +31,12 @@ binaries' original file names, which is likely a custom binary deployed by the a
 
 #### Possible investigation steps
 
-- Investigate the process execution chain (parent process tree).
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
 - Identify the user account that performed the action and whether it should perform this kind of action.
-- Contact the account owner and confirm whether they are aware of this activity.
+- Contact the account and system owners and confirm whether they are aware of this activity.
 - Investigate other alerts associated with the user/host during the past 48 hours.
-- Check for similar behavior in other hosts on the environment.
+- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
 - Retrieve the file and determine if it is malicious:
   - Use a private sandboxed malware analysis system to perform analysis.
     - Observe and collect information about the following activities:
@@ -43,8 +44,8 @@ binaries' original file names, which is likely a custom binary deployed by the a
       - File and registry access, modification, and creation activities.
       - Service creation and launch activities.
       - Scheduled tasks creation.
-  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
-    - Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+  - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
+    - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
 
 ### False positive analysis
 
@@ -56,10 +57,20 @@ binaries' original file names, which is likely a custom binary deployed by the a
 - Initiate the incident response process based on the outcome of the triage.
 - Isolate the involved host to prevent further post-compromise behavior.
 - If the triage identified malware, search the environment for additional compromised hosts.
-  - Implement any temporary network rules, procedures, and segmentation required to contain the malware.
-  - Immediately block the IoCs identified.
-- Remove and block malicious artifacts identified on the triage.
-- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
+  attackers could use to reinfect the system.
+- Remove and block malicious artifacts identified during triage.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 
 ## Config

rules/windows/persistence_sdprop_exclusion_dsheuristics.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/02/24"
 maturity = "production"
-updated_date = "2022/04/06"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -44,7 +44,7 @@ This rule matches changes of the dsHeuristics object where the 16th bit is set t
 #### Possible investigation steps
 
 - Identify the user account that performed the action and whether it should perform this kind of action.
-- Contact the account owner and confirm whether they are aware of this activity.
+- Contact the account and system owners and confirm whether they are aware of this activity.
 - Investigate other alerts associated with the user/host during the past 48 hours.
 - Check the value assigned to the 16th bit of the string on the `winlog.event_data.AttributeValue` field:
     - Account Operators eq 1
@@ -56,12 +56,14 @@ This rule matches changes of the dsHeuristics object where the 16th bit is set t
 
 ### False positive analysis
 
-- While this modification can be done legitimately, it is not best practice. Any potential benign true positive (B-TP)
+- While this modification can be done legitimately, it is not a best practice. Any potential benign true positive (B-TP)
 should be mapped and reviewed by the security team for alternatives as this weakens the security of the privileged group.
 
 ### Response and remediation
 
 - The change can be reverted by setting the dwAdminSDExMask (16th bit) to 0 in dSHeuristics.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/18"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -25,16 +25,21 @@ This rule monitors for commonly abused processes writing to the Startup folder l
 
 #### Possible investigation steps
 
-- Investigate the process execution chain (parent process tree).
-- Investigate other alerts related to the user/host in the last 48 hours.
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Investigate other alerts associated with the user/host during the past 48 hours.
 - Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate
 software installations.
-- Determine if activity is unique by validating if other machines in the organization have similar entries.
-- Retrieve the file:
-  - Use a sandboxed malware analysis system to perform analysis.
-    - Observe attempts to contact external domains and addresses.
-  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
-    - Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
+- Retrieve the file and determine if it is malicious:
+  - Use a private sandboxed malware analysis system to perform analysis.
+    - Observe and collect information about the following activities:
+      - Attempts to contact external domains and addresses.
+      - File and registry access, modification, and creation activities.
+      - Service creation and launch activities.
+      - Scheduled tasks creation.
+  - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
+    - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
 
 ### False positive analysis
 
@@ -51,10 +56,20 @@ verify that this activity is not benign.
 - Initiate the incident response process based on the outcome of the triage.
 - Isolate the involved host to prevent further post-compromise behavior.
 - If the triage identified malware, search the environment for additional compromised hosts.
-  - Implement any temporary network rules, procedures, and segmentation required to contain the malware.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
   - Immediately block the identified indicators of compromise (IoCs).
-- Remove malicious artifacts identified on the triage.
-- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
+  attackers could use to reinfect the system.
+- Remove and block malicious artifacts identified during triage.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/29"
 maturity = "production"
-updated_date = "2022/03/21"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -25,16 +25,21 @@ This rule looks for unsigned processes writing to the Startup folder locations.
 
 #### Possible investigation steps
 
-- Investigate the process execution chain (parent process tree).
-- Investigate other alerts related to the user/host in the last 48 hours.
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Investigate other alerts associated with the user/host during the past 48 hours.
 - Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate
 software installations.
-- Determine if activity is unique by validating if other machines in the organization have similar entries.
-- Retrieve the file:
-  - Use a sandboxed malware analysis system to perform analysis.
-    - Observe attempts to contact external domains and addresses.
-  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
-    - Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
+- Retrieve the file and determine if it is malicious:
+  - Use a private sandboxed malware analysis system to perform analysis.
+    - Observe and collect information about the following activities:
+      - Attempts to contact external domains and addresses.
+      - File and registry access, modification, and creation activities.
+      - Service creation and launch activities.
+      - Scheduled tasks creation.
+  - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
+    - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
 
 ### False positive analysis
 
@@ -52,10 +57,20 @@ investigation, verify that this activity is not benign.
 - Initiate the incident response process based on the outcome of the triage.
 - Isolate the involved host to prevent further post-compromise behavior.
 - If the triage identified malware, search the environment for additional compromised hosts.
-  - Implement any temporary network rules, procedures, and segmentation required to contain the malware.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
   - Immediately block the identified indicators of compromise (IoCs).
-- Remove malicious artifacts identified on the triage.
-- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
+  attackers could use to reinfect the system.
+- Remove and block malicious artifacts identified during triage.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 """ 
 risk_score = 41
 rule_id = "2fba96c0-ade5-4bce-b92f-a5df2509da3f"

rules/windows/persistence_startup_folder_scripts.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/18"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -25,22 +25,25 @@ This rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs s
 
 #### Possible investigation steps
 
-- Investigate the process execution chain (parent process tree).
-- Investigate other alerts related to the user/host in the last 48 hours.
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Investigate other alerts associated with the user/host during the past 48 hours.
 - Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate
 software installations.
-- Determine if activity is unique by validating if other machines in the organization have similar entries.
-- Retrieve the script file:
-  - Use a sandboxed malware analysis system to perform analysis.
-    - Observe attempts to contact external domains and addresses.
-  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
-    - Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
+- Retrieve the file and determine if it is malicious:
+  - Use a private sandboxed malware analysis system to perform analysis.
+    - Observe and collect information about the following activities:
+      - Attempts to contact external domains and addresses.
+      - File and registry access, modification, and creation activities.
+      - Service creation and launch activities.
+      - Scheduled tasks creation.
+  - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
+    - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
 
 ### False positive analysis
 
-- There is a low possibility of benign legitimate scripts being added to Startup folders. Validate whether this activity
-is benign.
-
+- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.
 
 ### Related rules
 
@@ -52,9 +55,20 @@ is benign.
 - Initiate the incident response process based on the outcome of the triage.
 - Isolate the involved host to prevent further post-compromise behavior.
 - If the triage identified malware, search the environment for additional compromised hosts.
-  - Implement any temporary network rules, procedures, and segmentation required to contain the malware.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
   - Immediately block the identified indicators of compromise (IoCs).
-- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
+  attackers could use to reinfect the system.
+- Remove and block malicious artifacts identified during triage.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/persistence_suspicious_com_hijack_registry.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/18"
 maturity = "production"
-updated_date = "2022/04/20"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -22,10 +22,11 @@ Adversaries can insert malicious code that can be executed in place of legitimat
 
 #### Possible investigation steps
 
-- Investigate the process execution chain (parent process tree).
-- Identify the user account that performed the action.
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Identify the user account that performed the action and whether it should perform this kind of action.
 - Investigate other alerts associated with the user/host during the past 48 hours.
-- Check for similar behavior in other hosts on the environment.
+- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
 - Retrieve the file referenced in the registry and determine if it is malicious:
   - Use a private sandboxed malware analysis system to perform analysis.
     - Observe and collect information about the following activities:
@@ -33,8 +34,8 @@ Adversaries can insert malicious code that can be executed in place of legitimat
       - File and registry access, modification, and creation activities.
       - Service creation and launch activities.
       - Scheduled tasks creation.
-  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
-    - Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+  - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
+    - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
 
 ### False positive analysis
 
@@ -45,11 +46,20 @@ Adversaries can insert malicious code that can be executed in place of legitimat
 - Initiate the incident response process based on the outcome of the triage.
 - Isolate the involved host to prevent further post-compromise behavior.
 - If the triage identified malware, search the environment for additional compromised hosts.
-  - Implement any temporary network rules, procedures, and segmentation required to contain the malware.
-  - Immediately block the IoCs identified.
-- Remove and block malicious artifacts identified on the triage.
-- Disable the involved accounts, or restrict their ability to log on remotely.
-- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
+  attackers could use to reinfect the system.
+- Remove and block malicious artifacts identified during triage.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 
 ## Config

rules/windows/persistence_system_shells_via_services.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2022/04/13"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -25,13 +25,14 @@ This rule looks for system shells being spawned by `services.exe`, which is comp
 
 #### Possible investigation steps
 
-- Investigate the process execution chain (parent process tree).
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
 - Identify how the service was created or modified. Look for registry changes events or Windows events related to
 service activities (for example, 4697 and/or 7045).
   - Identify the user account that performed the action and whether it should perform this kind of action.
 - Contact the account owner and confirm whether they are aware of this activity.
 - Investigate other alerts associated with the user/host during the past 48 hours.
-- Check for similar behavior in other hosts on the environment.
+- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
 - Check for commands executed under the spawned shell.
 
 ### False positive analysis
@@ -43,10 +44,15 @@ service activities (for example, 4697 and/or 7045).
 
 - Initiate the incident response process based on the outcome of the triage.
 - Isolate the involved host to prevent further post-compromise behavior.
-- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
 - Delete the service or restore it to the original configuration.
-- Investigate the initial attack vector.
-
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/persistence_user_account_added_to_privileged_group_ad.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/09"
 maturity = "production"
-updated_date = "2022/04/13"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic", "Skoetting"]
@@ -31,7 +31,7 @@ This rule monitors events related to a user being added to a privileged group.
 
 - Identify the user account that performed the action and whether it should manage members of this group.
 - Contact the account owner and confirm whether they are aware of this activity.
-- Investigate other alerts associated with the user during the past 48 hours.
+- Investigate other alerts associated with the user/host during the past 48 hours.
 
 ### False positive analysis
 
@@ -44,7 +44,10 @@ this level of privilege.
 - Initiate the incident response process based on the outcome of the triage.
 - If the admin is not aware of the operation, activate your Active Directory incident response plan.
 - If the user does not need the administrator privileges, remove the account from the privileged group.
-
+- Review the privileges of the administrator account that performed the action.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/persistence_user_account_creation.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -24,10 +24,11 @@ This rule identifies the usage of `net.exe` to create new accounts.
 
 #### Possible investigation steps
 
-- Investigate the process execution chain (parent process tree).
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
 - Identify the user account that performed the action and whether it should perform this kind of action.
 - Identify if the account was added to privileged groups or assigned special privileges after creation.
-- Investigate other alerts related to the user/host in the last 48 hours.
+- Investigate other alerts associated with the user/host during the past 48 hours.
 
 ### False positive analysis
 
@@ -43,7 +44,12 @@ investigating further, verify that this activity is not benign.
 - Initiate the incident response process based on the outcome of the triage.
 - Isolate the involved host to prevent further post-compromise behavior.
 - Delete the created account.
-- Reset the password for the user account leveraged to create the new account.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/privilege_escalation_group_policy_iniscript.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/11/08"
 maturity = "production"
-updated_date = "2022/03/02"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -24,11 +24,12 @@ clients to execute specified commands at startup, logon, shutdown, and logoff. T
 
 #### Possible investigation steps
 
-- This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the
-activity is legitimate and the administrator is authorized to perform this operation.
-- Retrieve the contents of the script file, and check for any potentially malicious commands and binaries.
-- Investigate other alerts related to the user/host in the last 48 hours.
-- Scope which objects have been affected.
+- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity
+is legitimate and the administrator is authorized to perform this operation.
+- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `<Command>` and `<Arguments>` XML tags for any
+potentially malicious commands or binaries.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.
 
 ### False positive analysis
 
@@ -45,6 +46,9 @@ activity is legitimate and the administrator is authorized to perform this opera
 - The investigation and containment must be performed in every computer controlled by the GPO, where necessary.
 - Remove the script from the GPO.
 - Check if other GPOs have suspicious scripts attached.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/privilege_escalation_group_policy_privileged_groups.toml

@@ -24,8 +24,8 @@ Example Path: "\\\\DC.com\\SysVol\\DC.com\\Policies\\{PolicyGUID}\\Machine\\Micr
 
 #### Possible investigation steps
 
-- This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the
-activity is legitimate and the administrator is authorized to perform this operation.
+- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity
+is legitimate and the administrator is authorized to perform this operation.
 - Retrieve the contents of the `GptTmpl.inf` file, and under the `Privilege Rights` section, look for potentially
 dangerous high privileges, for example: SeTakeOwnershipPrivilege, SeEnableDelegationPrivilege, etc.
 - Inspect the user security identifiers (SIDs) associated with these privileges, and if they should have these privileges.

rules/windows/privilege_escalation_group_policy_scheduled_task.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/11/08"
 maturity = "production"
-updated_date = "2022/04/20"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -22,12 +22,12 @@ file.
 
 #### Possible investigation steps
 
-- This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the activity
+- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity
 is legitimate and the administrator is authorized to perform this operation.
 - Retrieve the contents of the `ScheduledTasks.xml` file, and check the `<Command>` and `<Arguments>` XML tags for any
-potentially malicious commands and binaries.
-- Investigate other alerts related to the user/host in the last 48 hours.
-- Scope which objects have been affected.
+potentially malicious commands or binaries.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.
 
 ### False positive analysis
 
@@ -44,6 +44,9 @@ potentially malicious commands and binaries.
 - The investigation and containment must be performed in every computer controlled by the GPO, where necessary.
 - Remove the script from the GPO.
 - Check if other GPOs have suspicious scheduled tasks attached.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

rules/windows/privilege_escalation_installertakeover.toml

@@ -3,7 +3,7 @@ creation_date = "2021/11/25"
 maturity = "production"
 min_stack_comments = "EQL optional fields syntax was not introduced until 7.16"
 min_stack_version = "7.16.0"
-updated_date = "2022/04/13"
+updated_date = "2022/05/09"
 
 [rule]
 author = ["Elastic"]
@@ -27,12 +27,13 @@ This rule detects the default execution of the PoC, which overwrites the `elevat
 to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked),
 which is outside the scope of this rule.
 
-#### Possible investigation steps:
+#### Possible investigation steps
 
-- Check the executable's digital signature.
-- Look for additional processes spawned by the process, command lines, and network communications.
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
 - Investigate other alerts associated with the user/host during the past 48 hours.
-- Check for similar behavior in other hosts on the environment.
+- Look for additional processes spawned by the process, command lines, and network communications.
+- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
 - Retrieve the file and determine if it is malicious:
   - Use a private sandboxed malware analysis system to perform analysis.
     - Observe and collect information about the following activities:
@@ -40,8 +41,8 @@ which is outside the scope of this rule.
       - File and registry access, modification, and creation activities.
       - Service creation and launch activities.
       - Scheduled tasks creation.
-  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
-    - Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+  - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
+    - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
 
 ### False positive analysis
 
@@ -56,12 +57,20 @@ which is outside the scope of this rule.
 - Initiate the incident response process based on the outcome of the triage.
 - Isolate the involved host to prevent further post-compromise behavior.
 - If the triage identified malware, search the environment for additional compromised hosts.
-  - Implement any temporary network rules, procedures, and segmentation required to contain the malware.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
   - Immediately block the identified indicators of compromise (IoCs).
-- Remove and block malicious artifacts identified on the triage.
-- Disable user account’s ability to log in remotely.
-- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
-- Determine the initial infection vector.
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
+  attackers could use to reinfect the system.
+- Remove and block malicious artifacts identified during triage.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config