diff --git a/rules/windows/collection_posh_audio_capture.toml b/rules/windows/collection_posh_audio_capture.toml index d9c3c5934..c6c4e2891 100644 --- a/rules/windows/collection_posh_audio_capture.toml +++ b/rules/windows/collection_posh_audio_capture.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/10/19" maturity = "production" -updated_date = "2021/10/19" +updated_date = "2021/11/17" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.code:"4104" and +event.category:process and powershell.file.script_block_text : ( Get-MicrophoneAudio or (waveInGetNumDevs and mciSendStringA) ) diff --git a/rules/windows/credential_access_posh_minidump.toml b/rules/windows/credential_access_posh_minidump.toml index 6d237ea2e..98dbdae3e 100644 --- a/rules/windows/credential_access_posh_minidump.toml +++ b/rules/windows/credential_access_posh_minidump.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/10/05" maturity = "production" -updated_date = "2021/10/05" +updated_date = "2021/11/17" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.code:"4104" and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) +event.category:process and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) ''' diff --git a/rules/windows/defense_evasion_posh_process_injection.toml b/rules/windows/defense_evasion_posh_process_injection.toml index 0c121d731..5da9035a6 100644 --- a/rules/windows/defense_evasion_posh_process_injection.toml +++ b/rules/windows/defense_evasion_posh_process_injection.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/10/14" maturity = "production" -updated_date = "2021/10/14" +updated_date = "2021/11/17" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.code:"4104" and +event.category:process and powershell.file.script_block_text : ( (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and diff --git a/rules/windows/discovery_posh_suspicious_api_functions.toml b/rules/windows/discovery_posh_suspicious_api_functions.toml index efcecc666..52e8e87e2 100644 --- a/rules/windows/discovery_posh_suspicious_api_functions.toml +++ b/rules/windows/discovery_posh_suspicious_api_functions.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/10/13" maturity = "production" -updated_date = "2021/10/14" +updated_date = "2021/11/17" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.code:"4104" and +event.category:process and powershell.file.script_block_text : ( NetShareEnum or NetWkstaUserEnum or diff --git a/rules/windows/execution_posh_portable_executable.toml b/rules/windows/execution_posh_portable_executable.toml index d1e82fbaf..165bb6e9a 100644 --- a/rules/windows/execution_posh_portable_executable.toml +++ b/rules/windows/execution_posh_portable_executable.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/10/15" maturity = "production" -updated_date = "2021/10/15" +updated_date = "2021/11/17" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.code:"4104" and +event.category:process and powershell.file.script_block_text : ( TVqQAAMAAAAEAAAA )