diff --git a/rules/cross-platform/command_and_control_common_llm_endpoint.toml b/rules/cross-platform/command_and_control_common_llm_endpoint.toml index 8614a7cea..b15f7f8f5 100644 --- a/rules/cross-platform/command_and_control_common_llm_endpoint.toml +++ b/rules/cross-platform/command_and_control_common_llm_endpoint.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/01" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/02/10" +updated_date = "2026/03/24" [rule] @@ -150,16 +150,18 @@ network where host.os.type in ("macos", "windows") and dns.question.name != null [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1102" name = "Web Service" reference = "https://attack.mitre.org/techniques/T1102/" - +[[rule.threat.technique.subtechnique]] +id = "T1102.002" +name = "Bidirectional Communication" +reference = "https://attack.mitre.org/techniques/T1102/002/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - - diff --git a/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml b/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml index b27f35840..69e8783e9 100644 --- a/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml +++ b/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/18" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] maturity = "production" -updated_date = "2026/03/31" +updated_date = "2026/04/01" [rule] author = ["Elastic"] @@ -123,17 +123,22 @@ process.parent.name in ("node", "bun", "node.exe", "bun.exe") and ( [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" - [[rule.threat.technique]] - name = "Application Layer Protocol" - id = "T1071" - reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" - [[rule.threat.technique.subtechnique]] - name = "Web Protocols" - id = "T1071.001" - reference = "https://attack.mitre.org/techniques/T1071/001/" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml b/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml index b508ee3bf..235c22f4e 100644 --- a/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml +++ b/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/19" integration = ["endpoint", "system"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,14 +89,23 @@ Google Drive is a widely-used cloud storage service that allows users to store a [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" + +[[rule.threat.technique.subtechnique]] +id = "T1102.003" +name = "One-Way Communication" +reference = "https://attack.mitre.org/techniques/T1102/003/" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/cross-platform/command_and_control_kubectl_networking_modification.toml b/rules/cross-platform/command_and_control_kubectl_networking_modification.toml index 0b1311604..36c09b884 100644 --- a/rules/cross-platform/command_and_control_kubectl_networking_modification.toml +++ b/rules/cross-platform/command_and_control_kubectl_networking_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "cloud_de maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/26" +updated_date = "2026/03/30" [rule] author = ["Elastic"] @@ -125,16 +125,16 @@ process.name == "kubectl" and ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1572" -name = "Protocol Tunneling" -reference = "https://attack.mitre.org/techniques/T1572/" - [[rule.threat.technique]] id = "T1090" name = "Proxy" reference = "https://attack.mitre.org/techniques/T1090/" +[[rule.threat.technique]] +id = "T1572" +name = "Protocol Tunneling" +reference = "https://attack.mitre.org/techniques/T1572/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml index 4ed6298ea..ba94e8a18 100644 --- a/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml +++ b/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/18" integration = ["endpoint", "panw"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -70,6 +70,11 @@ note = """## Triage and analysis [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml index 0ca537563..46c2d3682 100644 --- a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml +++ b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/10" integration = ["endpoint", "suricata"] maturity = "production" -updated_date = "2026/01/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -76,7 +76,30 @@ note = """## Triage and analysis [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique]] +id = "T1571" +name = "Non-Standard Port" +reference = "https://attack.mitre.org/techniques/T1571/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/cross-platform/command_and_control_tunnel_qemu.toml b/rules/cross-platform/command_and_control_tunnel_qemu.toml index 6a3c887e2..6441d002c 100644 --- a/rules/cross-platform/command_and_control_tunnel_qemu.toml +++ b/rules/cross-platform/command_and_control_tunnel_qemu.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/09" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,14 +95,23 @@ process where event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + [[rule.threat.technique]] id = "T1219" name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" +[[rule.threat.technique]] +id = "T1572" +name = "Protocol Tunneling" +reference = "https://attack.mitre.org/techniques/T1572/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml b/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml index 70427bd61..ad9183c5d 100644 --- a/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml +++ b/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -139,26 +139,54 @@ file where event.action in ("open", "creation", "modification") and event.outcom [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1005" name = "Data from Local System" reference = "https://attack.mitre.org/techniques/T1005/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique.subtechnique]] +id = "T1037.004" +name = "RC Scripts" +reference = "https://attack.mitre.org/techniques/T1037/004/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/cross-platform/credential_access_gitleaks_execution.toml b/rules/cross-platform/credential_access_gitleaks_execution.toml index f4efcf945..4ae8155c9 100644 --- a/rules/cross-platform/credential_access_gitleaks_execution.toml +++ b/rules/cross-platform/credential_access_gitleaks_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/28" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] maturity = "production" -updated_date = "2025/11/28" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,6 +103,16 @@ id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" @@ -112,3 +122,21 @@ reference = "https://attack.mitre.org/techniques/T1555/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[[rule.threat.technique.subtechnique]] +id = "T1213.003" +name = "Code Repositories" +reference = "https://attack.mitre.org/techniques/T1213/003/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/cross-platform/credential_access_trufflehog_execution.toml b/rules/cross-platform/credential_access_trufflehog_execution.toml index b6faa0d1a..334251a1f 100644 --- a/rules/cross-platform/credential_access_trufflehog_execution.toml +++ b/rules/cross-platform/credential_access_trufflehog_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] maturity = "production" -updated_date = "2025/11/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,6 +105,16 @@ id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" @@ -114,3 +124,16 @@ reference = "https://attack.mitre.org/techniques/T1555/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml index 84468fac2..28fd5a021 100644 --- a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml +++ b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -73,15 +73,31 @@ In network environments, agents are deployed on hosts to monitor and report acti [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" + +[[rule.threat.technique.subtechnique]] +id = "T1565.002" +name = "Transmitted Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/002/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml index 150a6573e..a18631900 100644 --- a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml +++ b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,14 +86,18 @@ file where event.type == "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" +[[rule.threat.technique.subtechnique]] +id = "T1070.004" +name = "File Deletion" +reference = "https://attack.mitre.org/techniques/T1070/004/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml index 2a2584462..75b91f559 100644 --- a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml +++ b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/23" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,3 +122,16 @@ reference = "https://attack.mitre.org/techniques/T1562/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/cross-platform/defense_evasion_encoding_rot13_python_script.toml b/rules/cross-platform/defense_evasion_encoding_rot13_python_script.toml index a33eb0157..2992c1605 100644 --- a/rules/cross-platform/defense_evasion_encoding_rot13_python_script.toml +++ b/rules/cross-platform/defense_evasion_encoding_rot13_python_script.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/17" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,22 +81,41 @@ ROT encoding, a simple letter substitution cipher, is often used to obfuscate Py [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1140" -name = "Deobfuscate/Decode Files or Information" -reference = "https://attack.mitre.org/techniques/T1140/" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" + [[rule.threat.technique.subtechnique]] id = "T1027.013" name = "Encrypted/Encoded File" reference = "https://attack.mitre.org/techniques/T1027/013/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/cross-platform/defense_evasion_genai_config_modification.toml b/rules/cross-platform/defense_evasion_genai_config_modification.toml index 812702a98..cf95d5c68 100644 --- a/rules/cross-platform/defense_evasion_genai_config_modification.toml +++ b/rules/cross-platform/defense_evasion_genai_config_modification.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,29 +104,39 @@ file.path : ( [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique]] id = "T1554" name = "Compromise Host Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/cross-platform/defense_evasion_genai_process_compiling_executables.toml b/rules/cross-platform/defense_evasion_genai_process_compiling_executables.toml index 20e0c1c6d..77ad5e0a0 100644 --- a/rules/cross-platform/defense_evasion_genai_process_compiling_executables.toml +++ b/rules/cross-platform/defense_evasion_genai_process_compiling_executables.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "auditd_manager"] maturity = "production" -updated_date = "2025/12/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -140,19 +140,36 @@ process where event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" + [[rule.threat.technique.subtechnique]] id = "T1027.004" name = "Compile After Delivery" reference = "https://attack.mitre.org/techniques/T1027/004/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1587" +name = "Develop Capabilities" +reference = "https://attack.mitre.org/techniques/T1587/" + +[[rule.threat.technique.subtechnique]] +id = "T1587.001" +name = "Malware" +reference = "https://attack.mitre.org/techniques/T1587/001/" + +[rule.threat.tactic] +id = "TA0042" +name = "Resource Development" +reference = "https://attack.mitre.org/tactics/TA0042/" diff --git a/rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml b/rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml index 1f8053d97..5a7e264fd 100644 --- a/rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml +++ b/rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2025/12/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -159,14 +159,49 @@ sequence by process.entity_id with maxspan=30s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1560" +name = "Archive Collected Data" +reference = "https://attack.mitre.org/techniques/T1560/" + +[[rule.threat.technique.subtechnique]] +id = "T1560.001" +name = "Archive via Utility" +reference = "https://attack.mitre.org/techniques/T1560/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1560.002" +name = "Archive via Library" +reference = "https://attack.mitre.org/techniques/T1560/002/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1030" +name = "Data Transfer Size Limits" +reference = "https://attack.mitre.org/techniques/T1030/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml b/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml index b548ad933..97c4cbd79 100644 --- a/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml +++ b/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml @@ -2,7 +2,7 @@ creation_date = "2022/10/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,3 +106,21 @@ reference = "https://attack.mitre.org/techniques/T1036/006/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/cross-platform/defense_evasion_potential_kubectl_impersonation.toml b/rules/cross-platform/defense_evasion_potential_kubectl_impersonation.toml index e7243366b..623a26362 100644 --- a/rules/cross-platform/defense_evasion_potential_kubectl_impersonation.toml +++ b/rules/cross-platform/defense_evasion_potential_kubectl_impersonation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "cloud maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/26" +updated_date = "2026/03/30" [rule] author = ["Elastic"] @@ -127,6 +127,11 @@ not process.parent.args like ("/snap/microk8s/*/apiservice-kicker", "/snap/micro [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" @@ -137,11 +142,6 @@ id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" @@ -150,17 +150,30 @@ reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" - [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/cross-platform/defense_evasion_potential_kubectl_masquerading.toml b/rules/cross-platform/defense_evasion_potential_kubectl_masquerading.toml index a2a1374e3..7f1a8681a 100644 --- a/rules/cross-platform/defense_evasion_potential_kubectl_masquerading.toml +++ b/rules/cross-platform/defense_evasion_potential_kubectl_masquerading.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "cloud_de maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/26" +updated_date = "2026/03/30" [rule] author = ["Elastic"] @@ -156,7 +156,43 @@ id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" +[[rule.threat.technique.subtechnique]] +id = "T1564.001" +name = "Hidden Files and Directories" +reference = "https://attack.mitre.org/techniques/T1564/001/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" + +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml b/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml index 31b65ceeb..136a5eee2 100644 --- a/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml +++ b/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/30" integration = ["endpoint", "system", "windows", "auditd_manager", "m365_defender", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -96,34 +96,40 @@ FROM logs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/cross-platform/discovery_kubectl_permission_discovery.toml b/rules/cross-platform/discovery_kubectl_permission_discovery.toml index 2f8caf3ee..ab07c6537 100644 --- a/rules/cross-platform/discovery_kubectl_permission_discovery.toml +++ b/rules/cross-platform/discovery_kubectl_permission_discovery.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/26" +updated_date = "2026/03/30" [rule] author = ["Elastic"] @@ -119,6 +119,11 @@ process.name == "kubectl" and process.args == "auth" and process.args == "can-i" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique]] id = "T1613" name = "Container and Resource Discovery" diff --git a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml index c6e250f6b..e2a495f93 100644 --- a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml +++ b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml @@ -2,7 +2,7 @@ creation_date = "2021/09/29" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,14 +89,31 @@ Virtual machine fingerprinting involves identifying virtualized environments by [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1497" +name = "Virtualization/Sandbox Evasion" +reference = "https://attack.mitre.org/techniques/T1497/" + +[[rule.threat.technique.subtechnique]] +id = "T1497.001" +name = "System Checks" +reference = "https://attack.mitre.org/techniques/T1497/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml b/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml index 2f85b8138..af0064871 100644 --- a/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml +++ b/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml @@ -4,7 +4,7 @@ integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" min_stack_version = "9.2.0" min_stack_comments = "The esql url_decode() operator was introduced in version 9.2.0" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -172,3 +172,47 @@ reference = "https://attack.mitre.org/techniques/T1083/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml b/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml index 8ea0b32ea..ad5487a6d 100644 --- a/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml +++ b/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml @@ -4,7 +4,7 @@ integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" min_stack_version = "9.2.0" min_stack_comments = "The esql url_decode() operator was introduced in version 9.2.0" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -133,3 +133,16 @@ framework = "MITRE ATT&CK" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml b/rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml index 8934cb478..59a2cdf48 100644 --- a/rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml +++ b/rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/23" integration = ["aws", "endpoint"] maturity = "production" -updated_date = "2025/11/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -225,26 +225,36 @@ FROM logs-aws.cloudtrail*, logs-endpoint.events.process-* METADATA _id, _version [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [[rule.threat.technique]] id = "T1651" name = "Cloud Administration Command" reference = "https://attack.mitre.org/techniques/T1651/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml b/rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml index bc38184ca..42fff8466 100644 --- a/rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml +++ b/rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/03" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -145,17 +145,31 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [[rule.threat.technique]] id = "T1651" name = "Cloud Administration Command" reference = "https://attack.mitre.org/techniques/T1651/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id"] diff --git a/rules/cross-platform/execution_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml b/rules/cross-platform/execution_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml index 13d278cd2..807903bc5 100644 --- a/rules/cross-platform/execution_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml +++ b/rules/cross-platform/execution_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend", "kubernetes"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -121,6 +121,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique]] +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/cross-platform/execution_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml b/rules/cross-platform/execution_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml index 211a1183c..25b202793 100644 --- a/rules/cross-platform/execution_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml +++ b/rules/cross-platform/execution_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend", "kubernetes"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,6 +125,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique]] +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/cross-platform/execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml b/rules/cross-platform/execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml index 652be9cb0..677413701 100644 --- a/rules/cross-platform/execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml +++ b/rules/cross-platform/execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend", "kubernetes"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -145,6 +145,16 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique]] +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" + +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -153,6 +163,16 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique]] id = "T1613" name = "Container and Resource Discovery" diff --git a/rules/cross-platform/execution_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml b/rules/cross-platform/execution_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml index 95229fe81..fc91b794a 100644 --- a/rules/cross-platform/execution_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml +++ b/rules/cross-platform/execution_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend", "kubernetes"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,6 +108,11 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" @@ -135,3 +140,21 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/cross-platform/execution_git_exploit_cve_2025_48384.toml b/rules/cross-platform/execution_git_exploit_cve_2025_48384.toml index 0074a431b..314d1926c 100644 --- a/rules/cross-platform/execution_git_exploit_cve_2025_48384.toml +++ b/rules/cross-platform/execution_git_exploit_cve_2025_48384.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/12" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/11/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -88,12 +88,35 @@ sequence by host.id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - name = "Exploitation for Client Execution" - id = "T1203" - reference = "https://attack.mitre.org/techniques/T1203/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/cross-platform/execution_kubernetes_direct_api_request_via_curl_or_wget.toml b/rules/cross-platform/execution_kubernetes_direct_api_request_via_curl_or_wget.toml index 261ec1a63..a751edaad 100644 --- a/rules/cross-platform/execution_kubernetes_direct_api_request_via_curl_or_wget.toml +++ b/rules/cross-platform/execution_kubernetes_direct_api_request_via_curl_or_wget.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system", "crowdstrike", "sentinel_one_clo maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/26" +updated_date = "2026/03/30" [rule] author = ["Elastic"] @@ -152,6 +152,11 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique]] id = "T1613" name = "Container and Resource Discovery" @@ -161,3 +166,21 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.007" +name = "Container API" +reference = "https://attack.mitre.org/techniques/T1552/007/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml b/rules/cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml index 13869c98f..22754b011 100644 --- a/rules/cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml +++ b/rules/cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/18" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,6 +83,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + [[rule.threat.technique]] id = "T1204" name = "User Execution" @@ -123,3 +128,21 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1195" +name = "Supply Chain Compromise" +reference = "https://attack.mitre.org/techniques/T1195/" + +[[rule.threat.technique.subtechnique]] +id = "T1195.001" +name = "Compromise Software Dependencies and Development Tools" +reference = "https://attack.mitre.org/techniques/T1195/001/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/cross-platform/execution_openclaw_agent_child_process.toml b/rules/cross-platform/execution_openclaw_agent_child_process.toml index 919bf5982..c2a5536ac 100644 --- a/rules/cross-platform/execution_openclaw_agent_child_process.toml +++ b/rules/cross-platform/execution_openclaw_agent_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/02" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,36 +83,89 @@ process where event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + [[rule.threat.technique.subtechnique]] id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique.subtechnique]] id = "T1071.001" name = "Web Protocols" reference = "https://attack.mitre.org/techniques/T1071/001/" - +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/cross-platform/execution_privileged_container_creation_with_host_reference.toml b/rules/cross-platform/execution_privileged_container_creation_with_host_reference.toml index 4a04cf04a..9fecc9c12 100644 --- a/rules/cross-platform/execution_privileged_container_creation_with_host_reference.toml +++ b/rules/cross-platform/execution_privileged_container_creation_with_host_reference.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/27" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/11/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -127,6 +127,11 @@ id = "T1609" name = "Container Administration Command" reference = "https://attack.mitre.org/techniques/T1609/" +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/cross-platform/execution_register_github_actions_runner.toml b/rules/cross-platform/execution_register_github_actions_runner.toml index bd5c534de..bd45fce94 100644 --- a/rules/cross-platform/execution_register_github_actions_runner.toml +++ b/rules/cross-platform/execution_register_github_actions_runner.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] maturity = "production" -updated_date = "2025/11/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,32 +95,44 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" + [[rule.threat.technique.subtechnique]] id = "T1195.002" name = "Compromise Software Supply Chain" reference = "https://attack.mitre.org/techniques/T1195/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1219" +name = "Remote Access Tools" +reference = "https://attack.mitre.org/techniques/T1219/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/cross-platform/execution_revershell_via_shell_cmd.toml b/rules/cross-platform/execution_revershell_via_shell_cmd.toml index 62a96f31e..2ddadb560 100644 --- a/rules/cross-platform/execution_revershell_via_shell_cmd.toml +++ b/rules/cross-platform/execution_revershell_via_shell_cmd.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,14 +89,26 @@ process where event.type in ("start", "process_started") and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/cross-platform/execution_sap_netweaver_jsp_webshell.toml b/rules/cross-platform/execution_sap_netweaver_jsp_webshell.toml index a9a731ace..1028f94f3 100644 --- a/rules/cross-platform/execution_sap_netweaver_jsp_webshell.toml +++ b/rules/cross-platform/execution_sap_netweaver_jsp_webshell.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/04/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -67,24 +67,41 @@ note = """## Triage and analysis [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" - [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/cross-platform/execution_sap_netweaver_webshell_exec.toml b/rules/cross-platform/execution_sap_netweaver_webshell_exec.toml index ac4891f7a..d2189e589 100644 --- a/rules/cross-platform/execution_sap_netweaver_webshell_exec.toml +++ b/rules/cross-platform/execution_sap_netweaver_webshell_exec.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/04/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,24 +84,74 @@ note = """## Triage and analysis [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + [[rule.threat.technique.subtechnique]] id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" - [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml b/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml index 8ca0cdb5a..4cbccabc4 100644 --- a/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml +++ b/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml @@ -2,7 +2,7 @@ creation_date = "2021/12/10" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -109,24 +109,46 @@ Java Naming and Directory Interface (JNDI) is a Java API that provides naming an [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + [[rule.threat.technique.subtechnique]] id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" - [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/cross-platform/execution_via_github_actions_runner.toml b/rules/cross-platform/execution_via_github_actions_runner.toml index 08782e87f..c82405b97 100644 --- a/rules/cross-platform/execution_via_github_actions_runner.toml +++ b/rules/cross-platform/execution_via_github_actions_runner.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] maturity = "production" -updated_date = "2025/11/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,32 +99,79 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" + [[rule.threat.technique.subtechnique]] id = "T1195.002" name = "Compromise Software Supply Chain" reference = "https://attack.mitre.org/techniques/T1195/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/cross-platform/execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml b/rules/cross-platform/execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml index ebd0cb49c..f2c133d73 100644 --- a/rules/cross-platform/execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml +++ b/rules/cross-platform/execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/11/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -115,49 +115,58 @@ not process.env_vars like~ "RUNNER_TRACKING_ID=github_*" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Initial Access" - id = "TA0001" - reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat.technique]] +id = "T1195" +name = "Supply Chain Compromise" +reference = "https://attack.mitre.org/techniques/T1195/" - [[rule.threat.technique]] - name = "Supply Chain Compromise" - id = "T1195" - reference = "https://attack.mitre.org/techniques/T1195/" - - [[rule.threat.technique.subtechnique]] - name = "Compromise Software Dependencies and Development Tools" - id = "T1195.001" - reference = "https://attack.mitre.org/techniques/T1195/001/" +[[rule.threat.technique.subtechnique]] +id = "T1195.001" +name = "Compromise Software Dependencies and Development Tools" +reference = "https://attack.mitre.org/techniques/T1195/001/" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique]] - name = "Impair Defenses" - id = "T1562" - reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1036.009" +name = "Break Process Trees" +reference = "https://attack.mitre.org/techniques/T1036/009/" - [[rule.threat.technique.subtechnique]] - name = "Disable or Modify Tools" - id = "T1562.001" - reference = "https://attack.mitre.org/techniques/T1562/001/" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/cross-platform/exfiltration_potential_curl_data_exfiltration.toml b/rules/cross-platform/exfiltration_potential_curl_data_exfiltration.toml index 723f64c5e..500dee9bf 100644 --- a/rules/cross-platform/exfiltration_potential_curl_data_exfiltration.toml +++ b/rules/cross-platform/exfiltration_potential_curl_data_exfiltration.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/29" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] maturity = "production" -updated_date = "2026/03/25" +updated_date = "2026/03/30" [rule] author = ["Elastic"] @@ -130,12 +130,22 @@ not process.args : ("https://*/ap/fleet/*", "https://*/api/saved_objects/*", "ht [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Exfiltration" - id = "TA0010" - reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" - [[rule.threat.technique]] - name = "Exfiltration Over Alternative Protocol" - id = "T1048" - reference = "https://attack.mitre.org/techniques/T1048/" +[[rule.threat.technique.subtechnique]] +id = "T1048.001" +name = "Exfiltration Over Symmetric Encrypted Non-C2 Protocol" +reference = "https://attack.mitre.org/techniques/T1048/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1048.003" +name = "Exfiltration Over Unencrypted Non-C2 Protocol" +reference = "https://attack.mitre.org/techniques/T1048/003/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml b/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml index bfb7916cd..407eeea5e 100644 --- a/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml +++ b/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint", "windows", "auditd_manager", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -127,3 +127,77 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.011" +name = "Lua" +reference = "https://attack.mitre.org/techniques/T1059/011/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/cross-platform/initial_access_exfiltration_new_usb_device_mounted.toml b/rules/cross-platform/initial_access_exfiltration_new_usb_device_mounted.toml index dbee870be..17b33e323 100644 --- a/rules/cross-platform/initial_access_exfiltration_new_usb_device_mounted.toml +++ b/rules/cross-platform/initial_access_exfiltration_new_usb_device_mounted.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Device mount events were added as part of the Elastic Defend Device Control feature." min_stack_version = "9.2.0" -updated_date = "2025/11/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,34 +81,47 @@ host.os.type:(macos or windows) and event.type:device and event.action:mount and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1091" name = "Replication Through Removable Media" reference = "https://attack.mitre.org/techniques/T1091/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1052" name = "Exfiltration Over Physical Medium" reference = "https://attack.mitre.org/techniques/T1052/" + [[rule.threat.technique.subtechnique]] id = "T1052.001" name = "Exfiltration over USB" reference = "https://attack.mitre.org/techniques/T1052/001/" - - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1091" +name = "Replication Through Removable Media" +reference = "https://attack.mitre.org/techniques/T1091/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" [rule.new_terms] field = "new_terms_fields" value = ["device.serial_number", "host.id"] diff --git a/rules/cross-platform/initial_access_file_upload_followed_by_get_request.toml b/rules/cross-platform/initial_access_file_upload_followed_by_get_request.toml index b2c142588..9d7045d81 100644 --- a/rules/cross-platform/initial_access_file_upload_followed_by_get_request.toml +++ b/rules/cross-platform/initial_access_file_upload_followed_by_get_request.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/27" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/12/08" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -143,3 +143,16 @@ reference = "https://attack.mitre.org/techniques/T1505/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/cross-platform/initial_access_ollama_api_external_access.toml b/rules/cross-platform/initial_access_ollama_api_external_access.toml index 4a059992f..7692634d9 100644 --- a/rules/cross-platform/initial_access_ollama_api_external_access.toml +++ b/rules/cross-platform/initial_access_ollama_api_external_access.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/09" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,14 +89,18 @@ network where event.action == "connection_accepted" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml index 677203522..8227fb80b 100644 --- a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml +++ b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/14" maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -72,14 +72,18 @@ Zoom meetings without passcodes are vulnerable to unauthorized access, known as [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/cross-platform/persistence_web_server_potential_command_injection.toml b/rules/cross-platform/persistence_web_server_potential_command_injection.toml index e71c50e44..0e14d3d4a 100644 --- a/rules/cross-platform/persistence_web_server_potential_command_injection.toml +++ b/rules/cross-platform/persistence_web_server_potential_command_injection.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/19" integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -185,6 +185,16 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.011" +name = "Lua" +reference = "https://attack.mitre.org/techniques/T1059/011/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -198,6 +208,11 @@ id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" @@ -225,3 +240,57 @@ reference = "https://attack.mitre.org/techniques/T1595/003/" id = "TA0043" name = "Reconnaissance" reference = "https://attack.mitre.org/tactics/TA0043/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + +[[rule.threat.technique.subtechnique]] +id = "T1003.008" +name = "/etc/passwd and /etc/shadow" +reference = "https://attack.mitre.org/techniques/T1003/008/" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml index 1aa962b8f..5fab4d49a 100644 --- a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml +++ b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -72,19 +72,36 @@ The sudoers file is crucial in Unix-like systems, defining user permissions for [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml index 0c3fbef2c..24e3f7af1 100644 --- a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml +++ b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -111,3 +111,21 @@ framework = "MITRE ATT&CK" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml b/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml index 895ef2afa..204aea801 100644 --- a/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml +++ b/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml @@ -2,7 +2,7 @@ creation_date = "2021/02/03" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -88,17 +88,26 @@ Sudo is a critical utility in Unix-like systems, allowing users to execute comma [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [rule.threshold] field = ["host.hostname"] value = 100 diff --git a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml index 042c1dd3d..817a6c345 100644 --- a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml +++ b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/13" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -96,3 +96,21 @@ reference = "https://attack.mitre.org/techniques/T1548/003/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/cross-platform/privilege_escalation_trap_execution.toml b/rules/cross-platform/privilege_escalation_trap_execution.toml index d94587dd5..64bf0260d 100644 --- a/rules/cross-platform/privilege_escalation_trap_execution.toml +++ b/rules/cross-platform/privilege_escalation_trap_execution.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/24" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2026/01/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,3 +84,21 @@ reference = "https://attack.mitre.org/techniques/T1546/005/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.005" +name = "Trap" +reference = "https://attack.mitre.org/techniques/T1546/005/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/aws/collection_cloudtrail_logging_created.toml b/rules/integrations/aws/collection_cloudtrail_logging_created.toml index 21998af81..9c0e12dd9 100644 --- a/rules/integrations/aws/collection_cloudtrail_logging_created.toml +++ b/rules/integrations/aws/collection_cloudtrail_logging_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/10" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,17 +91,34 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml b/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml index d649ef077..20256d83f 100644 --- a/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml +++ b/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/17" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -121,42 +121,52 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1619" name = "Cloud Storage Object Discovery" reference = "https://attack.mitre.org/techniques/T1619/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique]] +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" + +[[rule.threat.technique.subtechnique]] +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml b/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml index 7bf37ce9e..eacc8d821 100644 --- a/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml +++ b/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/10" integration = ["aws"] maturity = "production" -updated_date = "2025/06/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,22 +95,39 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.005" name = "Cloud Instance Metadata API" reference = "https://attack.mitre.org/techniques/T1552/005/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["aws.cloudtrail.user_identity.session_context.session_issuer.arn"] diff --git a/rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml b/rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml index 39c54e4f1..57b2baeef 100644 --- a/rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml +++ b/rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/20" integration = ["aws"] maturity = "production" -updated_date = "2025/11/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,17 +78,34 @@ iam where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml index d134a095d..41cee1240 100644 --- a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml +++ b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/04" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,19 +101,42 @@ framework = "MITRE ATT&CK" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml b/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml index 660e03971..20d915624 100644 --- a/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml +++ b/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/11" integration = ["aws"] maturity = "production" -updated_date = "2025/11/07" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -130,22 +130,39 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [[rule.threat.technique.subtechnique]] id = "T1555.006" name = "Cloud Secrets Management Stores" reference = "https://attack.mitre.org/techniques/T1555/006/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[[rule.threat.technique.subtechnique]] +id = "T1213.006" +name = "Databases" +reference = "https://attack.mitre.org/techniques/T1213/006/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.threshold] field = ["user.id"] value = 1 diff --git a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml index 2fd99ea0b..d6fa16aca 100644 --- a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml +++ b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/21" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -132,17 +132,21 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.001" +name = "Password Guessing" +reference = "https://attack.mitre.org/techniques/T1110/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [rule.threshold] field = ["cloud.account.id"] value = 10 diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml index f762db3aa..2dba17cda 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/26" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,22 +82,26 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml index b81501f12..dea0d7a8d 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/10" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,22 +83,26 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_ec2_serial_console_access_enabled.toml b/rules/integrations/aws/defense_evasion_ec2_serial_console_access_enabled.toml index 67bc1c447..90f097c14 100644 --- a/rules/integrations/aws/defense_evasion_ec2_serial_console_access_enabled.toml +++ b/rules/integrations/aws/defense_evasion_ec2_serial_console_access_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/05" integration = ["aws"] maturity = "production" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -116,22 +116,31 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_rds_instance_restored.toml b/rules/integrations/aws/defense_evasion_rds_instance_restored.toml index 5c526fa7a..6d037474f 100644 --- a/rules/integrations/aws/defense_evasion_rds_instance_restored.toml +++ b/rules/integrations/aws/defense_evasion_rds_instance_restored.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/29" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Austin Songer", "Elastic"] @@ -153,10 +153,12 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1578" name = "Modify Cloud Compute Infrastructure" reference = "https://attack.mitre.org/techniques/T1578/" + [[rule.threat.technique.subtechnique]] id = "T1578.002" name = "Create Cloud Instance" @@ -167,13 +169,28 @@ id = "T1578.004" name = "Revert Cloud Instance" reference = "https://attack.mitre.org/techniques/T1578/004/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1074" +name = "Data Staged" +reference = "https://attack.mitre.org/techniques/T1074/" + +[[rule.threat.technique.subtechnique]] +id = "T1074.002" +name = "Remote Data Staging" +reference = "https://attack.mitre.org/techniques/T1074/002/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml index a3f2352b5..21de01a05 100644 --- a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml +++ b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/27" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,6 +122,7 @@ event.dataset:aws.cloudtrail and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" @@ -131,30 +132,34 @@ reference = "https://attack.mitre.org/techniques/T1070/" id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + [[rule.threat.technique.subtechnique]] id = "T1562.008" name = "Disable or Modify Cloud Logs" reference = "https://attack.mitre.org/techniques/T1562/008/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_sqs_purge_queue.toml b/rules/integrations/aws/defense_evasion_sqs_purge_queue.toml index d441f9f41..1d4e6533f 100644 --- a/rules/integrations/aws/defense_evasion_sqs_purge_queue.toml +++ b/rules/integrations/aws/defense_evasion_sqs_purge_queue.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/08" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,22 +99,34 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.008" name = "Disable or Modify Cloud Logs" reference = "https://attack.mitre.org/techniques/T1562/008/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml b/rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml index 78961ffa9..5bb8dd409 100644 --- a/rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml +++ b/rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/16" integration = ["aws"] maturity = "production" -updated_date = "2025/07/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,19 +100,31 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/aws/discovery_iam_principal_enumeration_via_update_assume_role_policy.toml b/rules/integrations/aws/discovery_iam_principal_enumeration_via_update_assume_role_policy.toml index 197e4fc57..9f6d0e9c3 100644 --- a/rules/integrations/aws/discovery_iam_principal_enumeration_via_update_assume_role_policy.toml +++ b/rules/integrations/aws/discovery_iam_principal_enumeration_via_update_assume_role_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -115,34 +115,44 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + +[[rule.threat.technique.subtechnique]] +id = "T1069.003" +name = "Cloud Groups" +reference = "https://attack.mitre.org/techniques/T1069/003/" + [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.004" name = "Cloud Account" reference = "https://attack.mitre.org/techniques/T1087/004/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [rule.threshold] field = ["cloud.account.id", "user.name", "source.ip"] value = 25 diff --git a/rules/integrations/aws/discovery_multiple_discovery_api_calls_via_cli.toml b/rules/integrations/aws/discovery_multiple_discovery_api_calls_via_cli.toml index b9e3d273e..e89c2921f 100644 --- a/rules/integrations/aws/discovery_multiple_discovery_api_calls_via_cli.toml +++ b/rules/integrations/aws/discovery_multiple_discovery_api_calls_via_cli.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -210,17 +210,21 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1526" +name = "Cloud Service Discovery" +reference = "https://attack.mitre.org/techniques/T1526/" + [[rule.threat.technique]] id = "T1580" name = "Cloud Infrastructure Discovery" reference = "https://attack.mitre.org/techniques/T1580/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.investigation_fields] field_names = [ "Esql.event_action_count_distinct", diff --git a/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml b/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml index 20d53a409..57341cda8 100644 --- a/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml +++ b/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/24" integration = ["aws"] maturity = "production" -updated_date = "2025/08/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -116,10 +116,17 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.004" name = "Cloud Account" @@ -129,7 +136,6 @@ reference = "https://attack.mitre.org/techniques/T1087/004/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.new_terms] field = "new_terms_fields" value = ["aws.cloudtrail.user_identity.arn"] diff --git a/rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml b/rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml index cf02dd8f7..f86a9fcfd 100644 --- a/rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml +++ b/rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2024/08/26" maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -146,17 +146,21 @@ from logs-aws.cloudtrail-* METADATA _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1526" +name = "Cloud Service Discovery" +reference = "https://attack.mitre.org/techniques/T1526/" + [[rule.threat.technique]] id = "T1580" name = "Cloud Infrastructure Discovery" reference = "https://attack.mitre.org/techniques/T1580/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.investigation_fields] field_names = [ "Esql.cloud_region_count_distinct", diff --git a/rules/integrations/aws/discovery_ssm_inventory_reconnaissance.toml b/rules/integrations/aws/discovery_ssm_inventory_reconnaissance.toml index 1998dca13..1f86cdc6d 100644 --- a/rules/integrations/aws/discovery_ssm_inventory_reconnaissance.toml +++ b/rules/integrations/aws/discovery_ssm_inventory_reconnaissance.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/11" integration = ["aws"] maturity = "production" -updated_date = "2026/02/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -124,6 +124,12 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1518" +name = "Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/" + [[rule.threat.technique]] id = "T1538" name = "Cloud Service Dashboard" @@ -138,7 +144,6 @@ reference = "https://attack.mitre.org/techniques/T1580/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.new_terms] field = "new_terms_fields" value = ["cloud.account.id", "user.name"] diff --git a/rules/integrations/aws/execution_cloudshell_environment_created.toml b/rules/integrations/aws/execution_cloudshell_environment_created.toml index dd1be4d86..08abce57f 100644 --- a/rules/integrations/aws/execution_cloudshell_environment_created.toml +++ b/rules/integrations/aws/execution_cloudshell_environment_created.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/12" integration = ["aws"] maturity = "production" -updated_date = "2026/03/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,22 +104,39 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.009" name = "Cloud API" reference = "https://attack.mitre.org/techniques/T1059/009/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml b/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml index f410c0aad..0be80713d 100644 --- a/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml +++ b/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/30" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,17 +107,34 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1648" name = "Serverless Execution" reference = "https://attack.mitre.org/techniques/T1648/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" + +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml b/rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml index 7164fa9a5..b95f19cbc 100644 --- a/rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml +++ b/rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/25" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,11 +101,16 @@ framework = "MITRE ATT&CK" id = "T1648" name = "Serverless Execution" reference = "https://attack.mitre.org/techniques/T1648/" + +[[rule.threat.technique]] +id = "T1651" +name = "Cloud Administration Command" +reference = "https://attack.mitre.org/techniques/T1651/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.new_terms] field = "new_terms_fields" value = ["cloud.account.id", "user.name"] diff --git a/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml b/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml index d54fc7697..7ac4b8a88 100644 --- a/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml +++ b/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/13" integration = ["aws"] maturity = "production" -updated_date = "2025/09/08" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,29 +82,34 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1567" name = "Exfiltration Over Web Service" reference = "https://attack.mitre.org/techniques/T1567/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml b/rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml index 5dd56b0f3..9385daad2 100644 --- a/rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml +++ b/rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/13" integration = ["aws"] maturity = "production" -updated_date = "2025/09/08" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -73,22 +73,34 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1567" name = "Exfiltration Over Web Service" reference = "https://attack.mitre.org/techniques/T1567/" + [[rule.threat.technique.subtechnique]] id = "T1567.002" name = "Exfiltration to Cloud Storage" reference = "https://attack.mitre.org/techniques/T1567/002/" - - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/exfiltration_ec2_export_task.toml b/rules/integrations/aws/exfiltration_ec2_export_task.toml index 0934b06a3..85ea184fc 100644 --- a/rules/integrations/aws/exfiltration_ec2_export_task.toml +++ b/rules/integrations/aws/exfiltration_ec2_export_task.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/23" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,18 +100,30 @@ event.dataset: "aws.cloudtrail" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1537" name = "Transfer Data to Cloud Account" reference = "https://attack.mitre.org/techniques/T1537/" +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + +[[rule.threat.technique.subtechnique]] +id = "T1567.002" +name = "Exfiltration to Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1567/002/" [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1005" name = "Data from Local System" @@ -127,12 +139,10 @@ id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml index a0aa65612..69392b27d 100644 --- a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml +++ b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/05" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -122,6 +122,7 @@ event.dataset: "aws.cloudtrail" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1020" name = "Automated Exfiltration" @@ -132,36 +133,49 @@ id = "T1537" name = "Transfer Data to Cloud Account" reference = "https://attack.mitre.org/techniques/T1537/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1074" name = "Data Staged" reference = "https://attack.mitre.org/techniques/T1074/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1040" name = "Network Sniffing" reference = "https://attack.mitre.org/techniques/T1040/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1040" +name = "Network Sniffing" +reference = "https://attack.mitre.org/techniques/T1040/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml index a0ba65785..3438596f8 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/06" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -151,28 +151,38 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + +[[rule.threat.technique.subtechnique]] +id = "T1567.002" +name = "Exfiltration to Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1567/002/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1213" name = "Data from Information Repositories" reference = "https://attack.mitre.org/techniques/T1213/" + [[rule.threat.technique.subtechnique]] id = "T1213.006" name = "Databases" reference = "https://attack.mitre.org/techniques/T1213/006/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml b/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml index 999b1b4a2..55d8c871c 100644 --- a/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml +++ b/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/17" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -148,29 +148,42 @@ and not stringContains(aws.cloudtrail.request_parameters, aws.cloudtrail.recipie [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1537" name = "Transfer Data to Cloud Account" reference = "https://attack.mitre.org/techniques/T1537/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/exfiltration_s3_bucket_replicated_to_external_account.toml b/rules/integrations/aws/exfiltration_s3_bucket_replicated_to_external_account.toml index a29a22b0c..f37e1f2d0 100644 --- a/rules/integrations/aws/exfiltration_s3_bucket_replicated_to_external_account.toml +++ b/rules/integrations/aws/exfiltration_s3_bucket_replicated_to_external_account.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/12" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -148,17 +148,26 @@ info where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1537" name = "Transfer Data to Cloud Account" reference = "https://attack.mitre.org/techniques/T1537/" +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + +[[rule.threat.technique.subtechnique]] +id = "T1567.002" +name = "Exfiltration to Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1567/002/" [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/exfiltration_s3_uncommon_client_user_agent.toml b/rules/integrations/aws/exfiltration_s3_uncommon_client_user_agent.toml index e64e83393..be5fa4a35 100644 --- a/rules/integrations/aws/exfiltration_s3_uncommon_client_user_agent.toml +++ b/rules/integrations/aws/exfiltration_s3_uncommon_client_user_agent.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/09" integration = ["aws"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -109,22 +109,34 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1567" name = "Exfiltration Over Web Service" reference = "https://attack.mitre.org/techniques/T1567/" + [[rule.threat.technique.subtechnique]] id = "T1567.002" name = "Exfiltration to Cloud Storage" reference = "https://attack.mitre.org/techniques/T1567/002/" - - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1530" +name = "Data from Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1530/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml b/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml index 465364b28..e0a94c08f 100644 --- a/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml +++ b/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml @@ -2,12 +2,12 @@ creation_date = "2024/11/01" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] description = """ -Identifies when a use subscribes to an SNS topic using a new protocol type (ie. email, http, lambda, etc.). SNS allows users to subscribe to recieve topic messages across a broad range of protocols like email, sms, lambda functions, http endpoints, and applications. Adversaries may subscribe to an SNS topic to collect sensitive information or exfiltrate data via an external email address, cross-account AWS service or other means. This rule identifies a new protocol subscription method for a particular user. +Identifies when a user subscribes to an SNS topic using a new protocol type (ie. email, http, lambda, etc.). SNS allows users to subscribe to recieve topic messages across a broad range of protocols like email, sms, lambda functions, http endpoints, and applications. Adversaries may subscribe to an SNS topic to collect sensitive information or exfiltrate data via an external email address, cross-account AWS service or other means. This rule identifies a new protocol subscription method for a particular user. """ false_positives = [ """ @@ -88,46 +88,65 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1567" name = "Exfiltration Over Web Service" reference = "https://attack.mitre.org/techniques/T1567/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1496" name = "Resource Hijacking" reference = "https://attack.mitre.org/techniques/T1496/" + [[rule.threat.technique.subtechnique]] id = "T1496.004" name = "Cloud Service Hijacking" reference = "https://attack.mitre.org/techniques/T1496/004/" - - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" + +[[rule.threat.technique.subtechnique]] +id = "T1102.003" +name = "One-Way Communication" +reference = "https://attack.mitre.org/techniques/T1102/003/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml index 4b6fbec23..f432d063a 100644 --- a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml +++ b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/17" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Austin Songer", "Elastic"] @@ -121,17 +121,34 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1489" name = "Service Stop" reference = "https://attack.mitre.org/techniques/T1489/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml b/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml index 013d9381c..6ec5c340a 100644 --- a/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml +++ b/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/01" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -111,18 +111,25 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1657" name = "Financial Theft" reference = "https://attack.mitre.org/techniques/T1657/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1580" +name = "Cloud Infrastructure Discovery" +reference = "https://attack.mitre.org/techniques/T1580/" + [[rule.threat.technique]] id = "T1619" name = "Cloud Storage Object Discovery" @@ -132,20 +139,19 @@ reference = "https://attack.mitre.org/techniques/T1619/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - - [rule.threshold] field = ["tls.client.server_name", "source.address", "aws.cloudtrail.user_identity.type"] value = 1 diff --git a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml index f19cadad2..cbab012a4 100644 --- a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml +++ b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/10" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,34 +87,52 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1565" name = "Data Manipulation" reference = "https://attack.mitre.org/techniques/T1565/" + [[rule.threat.technique.subtechnique]] id = "T1565.001" name = "Stored Data Manipulation" reference = "https://attack.mitre.org/techniques/T1565/001/" - - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml index 1f6a8dd5d..ed265299c 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/18" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -151,34 +151,39 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml index 6312cf48c..4ee8165d8 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/20" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -138,34 +138,39 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml index 0aa53f8fd..0b73ed699 100644 --- a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml +++ b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/05" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,22 +125,39 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1565" name = "Data Manipulation" reference = "https://attack.mitre.org/techniques/T1565/" + [[rule.threat.technique.subtechnique]] id = "T1565.001" name = "Stored Data Manipulation" reference = "https://attack.mitre.org/techniques/T1565/001/" - - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" + +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_ec2_ebs_snapshot_access_removed.toml b/rules/integrations/aws/impact_ec2_ebs_snapshot_access_removed.toml index 1221591ba..c6951c7a1 100644 --- a/rules/integrations/aws/impact_ec2_ebs_snapshot_access_removed.toml +++ b/rules/integrations/aws/impact_ec2_ebs_snapshot_access_removed.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/02" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -116,6 +116,7 @@ info where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" @@ -126,12 +127,28 @@ id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" + +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml index 2a685166c..b5533647e 100644 --- a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml +++ b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/26" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -116,34 +116,52 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1531" name = "Account Access Removal" reference = "https://attack.mitre.org/techniques/T1531/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [[rule.threat.technique.subtechnique]] id = "T1556.006" name = "Multi-Factor Authentication" reference = "https://attack.mitre.org/techniques/T1556/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml b/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml index 245d0ffc0..84fdd4c09 100644 --- a/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml +++ b/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/21" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Xavier Pich"] @@ -145,17 +145,21 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique.subtechnique]] +id = "T1485.001" +name = "Lifecycle-Triggered Deletion" +reference = "https://attack.mitre.org/techniques/T1485/001/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml b/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml index d12ddb1dc..faa111891 100644 --- a/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/28" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -124,17 +124,34 @@ any where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" + +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_rds_snapshot_deleted.toml b/rules/integrations/aws/impact_rds_snapshot_deleted.toml index 7e6e4313c..ccee14c1e 100644 --- a/rules/integrations/aws/impact_rds_snapshot_deleted.toml +++ b/rules/integrations/aws/impact_rds_snapshot_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/29" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -154,17 +154,21 @@ any where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique]] +id = "T1490" +name = "Inhibit System Recovery" +reference = "https://attack.mitre.org/techniques/T1490/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_keyword.toml b/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_keyword.toml index 36ccc844d..5cb062124 100644 --- a/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_keyword.toml +++ b/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_keyword.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/17" integration = ["aws"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -148,6 +148,7 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" @@ -156,10 +157,19 @@ reference = "https://attack.mitre.org/techniques/T1485/" [[rule.threat.technique]] id = "T1486" name = "Data Encrypted for Impact" -reference = "https://attack.mitre.org/techniques/T1486/" +reference = "https://attack.mitre.org/techniques/T1486/" + +[[rule.threat.technique]] +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" + +[[rule.threat.technique.subtechnique]] +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml b/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml index 743ff1290..9a4bfdd2d 100644 --- a/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml +++ b/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/15" integration = ["aws"] maturity = "production" -updated_date = "2025/12/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,10 +122,22 @@ from logs-aws.cloudtrail* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1491" +name = "Defacement" +reference = "https://attack.mitre.org/techniques/T1491/" + +[[rule.threat.technique.subtechnique]] +id = "T1491.002" +name = "External Defacement" +reference = "https://attack.mitre.org/techniques/T1491/002/" + [[rule.threat.technique]] id = "T1565" name = "Data Manipulation" reference = "https://attack.mitre.org/techniques/T1565/" + [[rule.threat.technique.subtechnique]] id = "T1565.001" name = "Stored Data Manipulation" @@ -135,7 +147,6 @@ reference = "https://attack.mitre.org/techniques/T1565/001/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml b/rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml index aacd3792c..3553a07eb 100644 --- a/rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml +++ b/rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/15" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,17 +105,34 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1486" name = "Data Encrypted for Impact" reference = "https://attack.mitre.org/techniques/T1486/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml b/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml index 18c4c5074..0fe9671e7 100644 --- a/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml +++ b/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_version = "9.2.0" min_stack_comments = "aws.cloudtrail.session_credential_from_console field introduced in AWS integration version 4.6.0" -updated_date = "2026/02/25" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -222,19 +222,36 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/aws/initial_access_kali_user_agent_detected_with_aws_cli.toml b/rules/integrations/aws/initial_access_kali_user_agent_detected_with_aws_cli.toml index 93696cfc6..5b330a552 100644 --- a/rules/integrations/aws/initial_access_kali_user_agent_detected_with_aws_cli.toml +++ b/rules/integrations/aws/initial_access_kali_user_agent_detected_with_aws_cli.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/11" integration = ["aws"] maturity = "production" -updated_date = "2025/12/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,22 +110,39 @@ any where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/initial_access_password_recovery.toml b/rules/integrations/aws/initial_access_password_recovery.toml index 32b17765f..f5071de40 100644 --- a/rules/integrations/aws/initial_access_password_recovery.toml +++ b/rules/integrations/aws/initial_access_password_recovery.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/02" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,14 +125,18 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml b/rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml index 7a3ec1d85..ca830abae 100644 --- a/rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml +++ b/rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/30" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,36 +106,54 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.004" name = "SSH Authorized Keys" reference = "https://attack.mitre.org/techniques/T1098/004/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.004" +name = "SSH Authorized Keys" +reference = "https://attack.mitre.org/techniques/T1098/004/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml b/rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml index e8de60750..6bb5af9fa 100644 --- a/rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml +++ b/rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/24" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,66 +125,113 @@ info where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.007" name = "Cloud Services" reference = "https://attack.mitre.org/techniques/T1021/007/" - [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.005" name = "Cloud Instance Metadata API" reference = "https://attack.mitre.org/techniques/T1552/005/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml b/rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml index 2cb483089..903ca5ff5 100644 --- a/rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml +++ b/rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["aws"] maturity = "production" -updated_date = "2025/09/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -140,46 +140,60 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1534" name = "Internal Spearphishing" reference = "https://attack.mitre.org/techniques/T1534/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1567" name = "Exfiltration Over Web Service" reference = "https://attack.mitre.org/techniques/T1567/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1496" name = "Resource Hijacking" reference = "https://attack.mitre.org/techniques/T1496/" + [[rule.threat.technique.subtechnique]] id = "T1496.004" name = "Cloud Service Hijacking" reference = "https://attack.mitre.org/techniques/T1496/004/" - - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [rule.new_terms] field = "new_terms_fields" value = ["cloud.account.id", "user.name", "aws.cloudtrail.resources.arn"] diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml index 2634447e6..87d29e6c2 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/13" integration = ["aws"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -119,11 +119,24 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -134,3 +147,7 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml index db71d8487..161aa44c3 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/13" integration = ["aws"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -117,11 +117,6 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -132,14 +127,14 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" @@ -150,9 +145,24 @@ id = "T1021.007" name = "Cloud Services" reference = "https://attack.mitre.org/techniques/T1021/007/" +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -161,13 +171,30 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - [[rule.threat.technique]] id = "T1041" name = "Exfiltration Over C2 Channel" reference = "https://attack.mitre.org/techniques/T1041/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/aws/persistence_aws_attempt_to_register_virtual_mfa_device.toml b/rules/integrations/aws/persistence_aws_attempt_to_register_virtual_mfa_device.toml index c81083059..4012b6634 100644 --- a/rules/integrations/aws/persistence_aws_attempt_to_register_virtual_mfa_device.toml +++ b/rules/integrations/aws/persistence_aws_attempt_to_register_virtual_mfa_device.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_version = "9.2.0" min_stack_comments = "aws.cloudtrail.session_credential_from_console field introduced in AWS integration version 4.6.0" -updated_date = "2026/02/25" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -121,32 +121,41 @@ iam where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.005" name = "Device Registration" reference = "https://attack.mitre.org/techniques/T1098/005/" - [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [[rule.threat.technique.subtechnique]] id = "T1556.006" name = "Multi-Factor Authentication" reference = "https://attack.mitre.org/techniques/T1556/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml index 37786c113..a72f180db 100644 --- a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml +++ b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/04" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,30 +99,41 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1133" name = "External Remote Services" reference = "https://attack.mitre.org/techniques/T1133/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" + +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml b/rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml index 3e29917bf..771fa38a3 100644 --- a/rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml +++ b/rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/05" integration = ["aws"] maturity = "production" -updated_date = "2025/09/04" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -141,6 +141,23 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" + +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["cloud.account.id", "user.name"] diff --git a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml index fd04f7d97..a2105eaa9 100644 --- a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml +++ b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/05" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -117,25 +117,53 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml b/rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml index dde1ff0a4..16a775ca3 100644 --- a/rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml +++ b/rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_version = "9.2.0" min_stack_comments = "aws.cloudtrail.session_credential_from_console field introduced in AWS integration version 4.6.0" -updated_date = "2026/02/25" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -135,17 +135,34 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml b/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml index 829f6ade7..6edad08e8 100644 --- a/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml +++ b/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/02" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -143,24 +143,28 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/aws/persistence_iam_oidc_provider_created.toml b/rules/integrations/aws/persistence_iam_oidc_provider_created.toml index 16c89c356..456d11f2a 100644 --- a/rules/integrations/aws/persistence_iam_oidc_provider_created.toml +++ b/rules/integrations/aws/persistence_iam_oidc_provider_created.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/05" integration = ["aws"] maturity = "production" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -120,39 +120,57 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique.subtechnique]] id = "T1484.002" name = "Trust Modification" reference = "https://attack.mitre.org/techniques/T1484/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[[rule.threat.technique.subtechnique]] +id = "T1484.002" +name = "Trust Modification" +reference = "https://attack.mitre.org/techniques/T1484/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml b/rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml index cc0704696..3c73289d5 100644 --- a/rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml +++ b/rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/20" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -137,22 +137,39 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml b/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml index 61a70e9d1..b93e5e177 100644 --- a/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml +++ b/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/20" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -129,22 +129,26 @@ info where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_iam_saml_provider_created.toml b/rules/integrations/aws/persistence_iam_saml_provider_created.toml index 4cf0be320..9116a811d 100644 --- a/rules/integrations/aws/persistence_iam_saml_provider_created.toml +++ b/rules/integrations/aws/persistence_iam_saml_provider_created.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/05" integration = ["aws"] maturity = "production" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -116,39 +116,49 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique.subtechnique]] id = "T1484.002" name = "Trust Modification" reference = "https://attack.mitre.org/techniques/T1484/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml b/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml index 0e89738a8..cc5eccd43 100644 --- a/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml +++ b/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/30" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -113,17 +113,34 @@ info where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" + +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml b/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml index 941d53cba..cf7e2c1b3 100644 --- a/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml +++ b/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/27" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -136,28 +136,35 @@ info where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -165,7 +172,6 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_rds_instance_made_public.toml b/rules/integrations/aws/persistence_rds_instance_made_public.toml index cac81e06d..9ce154cae 100644 --- a/rules/integrations/aws/persistence_rds_instance_made_public.toml +++ b/rules/integrations/aws/persistence_rds_instance_made_public.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/29" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -144,21 +144,27 @@ any where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [[rule.threat.technique.subtechnique]] id = "T1556.009" name = "Conditional Access Policies" reference = "https://attack.mitre.org/techniques/T1556/009/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -166,7 +172,6 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml index 7fefa1eda..c54f9538c 100644 --- a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/10" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -127,34 +127,47 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1584" name = "Compromise Infrastructure" reference = "https://attack.mitre.org/techniques/T1584/" + [[rule.threat.technique.subtechnique]] id = "T1584.001" name = "Domains" reference = "https://attack.mitre.org/techniques/T1584/001/" - - [rule.threat.tactic] id = "TA0042" name = "Resource Development" reference = "https://attack.mitre.org/tactics/TA0042/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml index 6a09be1c5..83355ae7d 100644 --- a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml +++ b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/19" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Austin Songer", "Elastic"] @@ -125,34 +125,47 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1583" name = "Acquire Infrastructure" reference = "https://attack.mitre.org/techniques/T1583/" + [[rule.threat.technique.subtechnique]] id = "T1583.001" name = "Domains" reference = "https://attack.mitre.org/techniques/T1583/001/" - - [rule.threat.tactic] id = "TA0042" name = "Resource Development" reference = "https://attack.mitre.org/tactics/TA0042/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1557" +name = "Adversary-in-the-Middle" +reference = "https://attack.mitre.org/techniques/T1557/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_route_table_created.toml b/rules/integrations/aws/persistence_route_table_created.toml index fe48343e5..a03d91f91 100644 --- a/rules/integrations/aws/persistence_route_table_created.toml +++ b/rules/integrations/aws/persistence_route_table_created.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/05" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -111,6 +111,23 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" + +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["cloud.account.id", "user.name"] diff --git a/rules/integrations/aws/persistence_sensitive_operations_via_cloudshell.toml b/rules/integrations/aws/persistence_sensitive_operations_via_cloudshell.toml index 1ada122b0..8a4189fc1 100644 --- a/rules/integrations/aws/persistence_sensitive_operations_via_cloudshell.toml +++ b/rules/integrations/aws/persistence_sensitive_operations_via_cloudshell.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/10" integration = ["aws"] maturity = "production" -updated_date = "2026/02/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -121,39 +121,54 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" + [[rule.threat.technique.subtechnique]] id = "T1136.003" name = "Cloud Account" reference = "https://attack.mitre.org/techniques/T1136/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml b/rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml index fefefd677..393e91868 100644 --- a/rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml +++ b/rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml @@ -2,7 +2,7 @@ creation_date = "2024/10/25" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] @@ -106,49 +106,72 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [[rule.threat.technique.subtechnique]] id = "T1556.006" name = "Multi-Factor Authentication" reference = "https://attack.mitre.org/techniques/T1556/006/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - [rule.new_terms] field = "new_terms_fields" value = ["user.id", "aws.cloudtrail.flattened.request_parameters.serialNumber"] diff --git a/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml b/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml index 628f38411..84d8b807e 100644 --- a/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml +++ b/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["aws"] maturity = "production" -updated_date = "2026/01/22" +updated_date = "2026/03/24" min_stack_comments = "New entity classification fields added: entity.target.id" min_stack_version = "9.2.0" @@ -100,22 +100,39 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.005" name = "Temporary Elevated Cloud Access" reference = "https://attack.mitre.org/techniques/T1548/005/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml b/rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml index 4b9ab1316..924fb0794 100644 --- a/rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml +++ b/rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml @@ -2,7 +2,7 @@ creation_date = "2021/09/22" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -125,22 +125,39 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique.subtechnique]] id = "T1484.002" name = "Trust Modification" reference = "https://attack.mitre.org/techniques/T1484/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[[rule.threat.technique.subtechnique]] +id = "T1484.002" +name = "Trust Modification" +reference = "https://attack.mitre.org/techniques/T1484/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml b/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml index bc91f308b..c8929a7f3 100644 --- a/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml +++ b/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" -updated_date = "2026/01/22" +updated_date = "2026/03/24" min_stack_comments = "New entity classification fields added: entity.target.id" min_stack_version = "9.2.0" @@ -97,22 +97,49 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml b/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml index c65c86306..213f759f6 100644 --- a/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml +++ b/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/17" integration = ["aws"] maturity = "production" -updated_date = "2025/12/16" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -109,34 +109,39 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.005" +name = "Temporary Elevated Cloud Access" +reference = "https://attack.mitre.org/techniques/T1548/005/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml b/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml index 0abf5a097..43e24f0bc 100644 --- a/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml +++ b/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/05" integration = ["aws"] maturity = "production" -updated_date = "2026/02/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,34 +95,62 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml b/rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml index 49cbe18da..8a9c66dfc 100644 --- a/rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml +++ b/rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/24" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -161,39 +161,67 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.005" name = "Temporary Elevated Cloud Access" reference = "https://attack.mitre.org/techniques/T1548/005/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_sts_role_chaining.toml b/rules/integrations/aws/privilege_escalation_sts_role_chaining.toml index 6e489d34a..da6188b1d 100644 --- a/rules/integrations/aws/privilege_escalation_sts_role_chaining.toml +++ b/rules/integrations/aws/privilege_escalation_sts_role_chaining.toml @@ -2,7 +2,7 @@ creation_date = "2024/10/23" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -134,41 +134,62 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.new_terms] field = "new_terms_fields" value = ["aws.cloudtrail.user_identity.session_context.session_issuer.arn", "aws.cloudtrail.resources.arn"] diff --git a/rules/integrations/azure/collection_entra_id_sharepoint_access_from_unusual_application.toml b/rules/integrations/azure/collection_entra_id_sharepoint_access_from_unusual_application.toml index aa6c1fdbe..9fe428e0f 100644 --- a/rules/integrations/azure/collection_entra_id_sharepoint_access_from_unusual_application.toml +++ b/rules/integrations/azure/collection_entra_id_sharepoint_access_from_unusual_application.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/01" integration = ["azure"] maturity = "production" -updated_date = "2026/02/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -119,17 +119,17 @@ event.dataset:azure.signinlogs [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1213" name = "Data from Information Repositories" reference = "https://attack.mitre.org/techniques/T1213/" + [[rule.threat.technique.subtechnique]] id = "T1213.002" name = "Sharepoint" reference = "https://attack.mitre.org/techniques/T1213/002/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" @@ -137,17 +137,44 @@ reference = "https://attack.mitre.org/tactics/TA0009/" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["azure.signinlogs.properties.app_id", "azure.signinlogs.properties.tenant_id"] diff --git a/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml b/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml index 3f48cab4c..7ec1a3dc5 100644 --- a/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml +++ b/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/06" integration = ["azure"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,17 +101,39 @@ event.dataset:azure.graphactivitylogs [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" +[[rule.threat.technique.subtechnique]] +id = "T1114.002" +name = "Remote Email Collection" +reference = "https://attack.mitre.org/techniques/T1114/002/" [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = [ diff --git a/rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml b/rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml index a94c27b57..319b38ece 100644 --- a/rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml +++ b/rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/02" integration = ["azure"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,30 +110,41 @@ from logs-azure.signinlogs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/integrations/azure/credential_access_azure_service_principal_signin_then_arc_credential_listing.toml b/rules/integrations/azure/credential_access_azure_service_principal_signin_then_arc_credential_listing.toml index 563375a5e..feb44f03e 100644 --- a/rules/integrations/azure/credential_access_azure_service_principal_signin_then_arc_credential_listing.toml +++ b/rules/integrations/azure/credential_access_azure_service_principal_signin_then_arc_credential_listing.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/10" integration = ["azure"] maturity = "production" -updated_date = "2026/03/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,39 +100,44 @@ sequence with maxspan=30m [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.007" name = "Container API" reference = "https://attack.mitre.org/techniques/T1552/007/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml b/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml index b1e86ae2c..2f571c663 100644 --- a/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml +++ b/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/28" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -135,30 +135,59 @@ from logs-azure.signinlogs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml b/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml index b1b7021a7..45e975c3b 100644 --- a/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml +++ b/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/10" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -175,19 +175,31 @@ by Esql.time_window_date_trunc, azure.platformlogs.identity.claim.upn [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [[rule.threat.technique.subtechnique]] id = "T1555.006" name = "Cloud Secrets Management Stores" reference = "https://attack.mitre.org/techniques/T1555/006/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/integrations/azure/credential_access_network_full_network_packet_capture_detected.toml b/rules/integrations/azure/credential_access_network_full_network_packet_capture_detected.toml index e23245673..c09f67d0a 100644 --- a/rules/integrations/azure/credential_access_network_full_network_packet_capture_detected.toml +++ b/rules/integrations/azure/credential_access_network_full_network_packet_capture_detected.toml @@ -2,7 +2,7 @@ creation_date = "2021/08/12" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Austin Songer"] @@ -83,14 +83,26 @@ event.outcome:(Success or success) [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1040" name = "Network Sniffing" reference = "https://attack.mitre.org/techniques/T1040/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1040" +name = "Network Sniffing" +reference = "https://attack.mitre.org/techniques/T1040/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml index 8a88cceeb..e87f96770 100644 --- a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml +++ b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["azure"] maturity = "production" -updated_date = "2025/09/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -73,6 +73,7 @@ tags = [ "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Resources: Investigation Guide", + ] timestamp_override = "event.ingested" type = "query" @@ -84,34 +85,36 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.005" name = "Cloud Instance Metadata API" reference = "https://attack.mitre.org/techniques/T1552/005/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml b/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml index d9817465e..a7edb7fe4 100644 --- a/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml +++ b/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,3 +81,15 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml index 5b308cfc6..42fb0d38b 100644 --- a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml +++ b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,19 +80,31 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.008" name = "Disable or Modify Cloud Logs" reference = "https://attack.mitre.org/techniques/T1562/008/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml index 76a3d0239..2216b229f 100644 --- a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml +++ b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/24" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Austin Songer"] @@ -80,19 +80,23 @@ event.outcome:(Success or success) [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml index 0acbfc2f7..80d0f3312 100644 --- a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,19 +81,23 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml b/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml index 5421c5675..6a7f6f9d0 100644 --- a/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml +++ b/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml @@ -2,7 +2,7 @@ creation_date = "2021/08/27" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Austin Songer"] @@ -81,14 +81,18 @@ event.outcome: "success" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml b/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml index f39b0218f..3f143b019 100644 --- a/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml +++ b/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -109,4 +109,3 @@ reference = "https://attack.mitre.org/techniques/T1537/" id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - diff --git a/rules/integrations/azure/execution_automation_runbook_created_or_modified.toml b/rules/integrations/azure/execution_automation_runbook_created_or_modified.toml index 2cddd4d83..c70aad563 100644 --- a/rules/integrations/azure/execution_automation_runbook_created_or_modified.toml +++ b/rules/integrations/azure/execution_automation_runbook_created_or_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,6 +80,7 @@ event.dataset:azure.activitylogs and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1648" name = "Serverless Execution" @@ -90,3 +91,15 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/azure/exfiltration_azure_storage_blob_download_azcopy_sas_token.toml b/rules/integrations/azure/exfiltration_azure_storage_blob_download_azcopy_sas_token.toml index ca5229f36..e24a3b4a3 100644 --- a/rules/integrations/azure/exfiltration_azure_storage_blob_download_azcopy_sas_token.toml +++ b/rules/integrations/azure/exfiltration_azure_storage_blob_download_azcopy_sas_token.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/02" integration = ["azure"] maturity = "production" -updated_date = "2025/10/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,22 +95,34 @@ event.dataset: azure.platformlogs and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1567" name = "Exfiltration Over Web Service" reference = "https://attack.mitre.org/techniques/T1567/" + [[rule.threat.technique.subtechnique]] id = "T1567.002" name = "Exfiltration to Cloud Storage" reference = "https://attack.mitre.org/techniques/T1567/002/" - - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1530" +name = "Data from Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1530/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.new_terms] field = "new_terms_fields" value = ["azure.platformlogs.properties.accountName"] diff --git a/rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml b/rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml index 8388ea6eb..da3cbcf9a 100644 --- a/rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml +++ b/rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,6 +86,23 @@ id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" + +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["azure.activitylogs.identity.claims_initiated_by_user.name"] diff --git a/rules/integrations/azure/impact_resources_resource_group_deletion.toml b/rules/integrations/azure/impact_resources_resource_group_deletion.toml index a28f3b454..feea463d8 100644 --- a/rules/integrations/azure/impact_resources_resource_group_deletion.toml +++ b/rules/integrations/azure/impact_resources_resource_group_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,6 +80,21 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1529" +name = "System Shutdown/Reboot" +reference = "https://attack.mitre.org/techniques/T1529/" + +[[rule.threat.technique]] +id = "T1490" +name = "Inhibit System Recovery" +reference = "https://attack.mitre.org/techniques/T1490/" + +[[rule.threat.technique]] +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" @@ -96,15 +111,14 @@ framework = "MITRE ATT&CK" id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/azure/initial_access_azure_arc_cluster_credential_access_unusual_source.toml b/rules/integrations/azure/initial_access_azure_arc_cluster_credential_access_unusual_source.toml index e394d39c9..c2c69a968 100644 --- a/rules/integrations/azure/initial_access_azure_arc_cluster_credential_access_unusual_source.toml +++ b/rules/integrations/azure/initial_access_azure_arc_cluster_credential_access_unusual_source.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/10" integration = ["azure"] maturity = "production" -updated_date = "2026/03/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,39 +89,57 @@ event.dataset: "azure.activitylogs" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.007" name = "Container API" reference = "https://attack.mitre.org/techniques/T1552/007/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/azure/initial_access_azure_service_principal_signin_multiple_countries.toml b/rules/integrations/azure/initial_access_azure_service_principal_signin_multiple_countries.toml index c844468a7..afd959b1c 100644 --- a/rules/integrations/azure/initial_access_azure_service_principal_signin_multiple_countries.toml +++ b/rules/integrations/azure/initial_access_azure_service_principal_signin_multiple_countries.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/10" integration = ["azure"] maturity = "production" -updated_date = "2026/03/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,22 +125,39 @@ FROM logs-azure.signinlogs-* metadata _id, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "azure.signinlogs.properties.service_principal_id", diff --git a/rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml b/rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml index 1ef19b65d..117f44019 100644 --- a/rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml +++ b/rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/18" integration = ["azure"] maturity = "production" -updated_date = "2025/12/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,31 +106,49 @@ from logs-azure.auditlogs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/azure/initial_access_entra_id_device_code_auth_with_broker_client.toml b/rules/integrations/azure/initial_access_entra_id_device_code_auth_with_broker_client.toml index 9ea2a42f5..83c4a5b14 100644 --- a/rules/integrations/azure/initial_access_entra_id_device_code_auth_with_broker_client.toml +++ b/rules/integrations/azure/initial_access_entra_id_device_code_auth_with_broker_client.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/24" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,24 +83,27 @@ Entra ID Device Code Authentication allows users to authenticate devices using a [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1566.002" -name = "Spearphishing Link" -reference = "https://attack.mitre.org/techniques/T1566/002/" [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" + +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" @@ -108,10 +111,22 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" @@ -121,4 +136,3 @@ reference = "https://attack.mitre.org/techniques/T1550/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml b/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml index 09ce8630b..4425f39fc 100644 --- a/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml +++ b/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,26 +78,36 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite externa [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" + +[[rule.threat.technique.subtechnique]] +id = "T1136.003" +name = "Cloud Account" +reference = "https://attack.mitre.org/techniques/T1136/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/azure/initial_access_entra_id_federated_login_by_unusual_client.toml b/rules/integrations/azure/initial_access_entra_id_federated_login_by_unusual_client.toml index 61dc6a1a5..4ec0e262a 100644 --- a/rules/integrations/azure/initial_access_entra_id_federated_login_by_unusual_client.toml +++ b/rules/integrations/azure/initial_access_entra_id_federated_login_by_unusual_client.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/09" integration = ["azure"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,17 +108,17 @@ event.dataset: "azure.signinlogs" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" @@ -126,22 +126,39 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.investigation_fields] field_names = [ "azure.signinlogs.properties.service_principal_name", diff --git a/rules/integrations/azure/initial_access_entra_id_first_time_seen_device_code_auth.toml b/rules/integrations/azure/initial_access_entra_id_first_time_seen_device_code_auth.toml index 6ff9e5edd..901507c48 100644 --- a/rules/integrations/azure/initial_access_entra_id_first_time_seen_device_code_auth.toml +++ b/rules/integrations/azure/initial_access_entra_id_first_time_seen_device_code_auth.toml @@ -2,7 +2,7 @@ creation_date = "2024/10/14" integration = ["azure"] maturity = "production" -updated_date = "2026/02/26" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Matteo Potito Giorgio"] @@ -78,6 +78,7 @@ tags = [ "Use Case: Identity and Access Audit", "Tactic: Initial Access", "Resources: Investigation Guide", + ] timestamp_override = "event.ingested" type = "new_terms" @@ -107,30 +108,49 @@ event.dataset:(azure.activitylogs or azure.signinlogs) [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1566.002" -name = "Spearphishing Link" -reference = "https://attack.mitre.org/techniques/T1566/002/" [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" + +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["azure.signinlogs.properties.user_principal_name"] diff --git a/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml b/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml index dd73f4222..696c20a2a 100644 --- a/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml +++ b/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/08" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/30" [rule] author = ["Elastic"] @@ -199,36 +199,41 @@ from logs-azure.signinlogs-*, logs-azure.graphactivitylogs-* metadata _id, _vers [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1550.004" +name = "Web Session Cookie" +reference = "https://attack.mitre.org/techniques/T1550/004/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml b/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml index fd3737f91..8e0d6694b 100644 --- a/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml +++ b/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,16 +91,21 @@ event.dataset: "azure.auditlogs" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - +[[rule.threat.technique]] +id = "T1199" +name = "Trusted Relationship" +reference = "https://attack.mitre.org/techniques/T1199/" [rule.threat.tactic] id = "TA0001" diff --git a/rules/integrations/azure/initial_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml b/rules/integrations/azure/initial_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml index 84bf8f56d..2c633fc89 100644 --- a/rules/integrations/azure/initial_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml +++ b/rules/integrations/azure/initial_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/17" integration = ["azure"] maturity = "production" -updated_date = "2026/01/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -75,6 +75,7 @@ tags = [ "Tactic: Initial Access", "Tactic: Credential Access", "Resources: Investigation Guide", + ] timestamp_override = "event.ingested" type = "new_terms" @@ -139,44 +140,67 @@ event.dataset: "azure.signinlogs" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - +[[rule.threat.technique]] +id = "T1199" +name = "Trusted Relationship" +reference = "https://attack.mitre.org/techniques/T1199/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml b/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml index d8d3ad94d..e5ddf8e98 100644 --- a/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml +++ b/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/23" integration = ["azure"] maturity = "production" -updated_date = "2026/01/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -74,6 +74,7 @@ tags = [ "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Initial Access", + ] timestamp_override = "event.ingested" type = "query" @@ -139,41 +140,64 @@ event.outcome: "success" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - +[[rule.threat.technique]] +id = "T1199" +name = "Trusted Relationship" +reference = "https://attack.mitre.org/techniques/T1199/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/azure/initial_access_entra_id_protection_alerts_for_user.toml b/rules/integrations/azure/initial_access_entra_id_protection_alerts_for_user.toml index c3b919b80..6913e3e88 100644 --- a/rules/integrations/azure/initial_access_entra_id_protection_alerts_for_user.toml +++ b/rules/integrations/azure/initial_access_entra_id_protection_alerts_for_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,19 +80,54 @@ sequence by azure.identityprotection.properties.user_principal_name with maxspan [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/azure/initial_access_entra_id_protection_confirmed_compromise.toml b/rules/integrations/azure/initial_access_entra_id_protection_confirmed_compromise.toml index fdff812e2..2fd952dda 100644 --- a/rules/integrations/azure/initial_access_entra_id_protection_confirmed_compromise.toml +++ b/rules/integrations/azure/initial_access_entra_id_protection_confirmed_compromise.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/06" integration = ["azure"] maturity = "production" -updated_date = "2025/10/06" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,22 +107,57 @@ event.dataset: azure.identity_protection and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml b/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml index da8c29614..d0ac2d950 100644 --- a/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml +++ b/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/10" integration = ["azure"] maturity = "production" -updated_date = "2025/12/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -123,34 +123,52 @@ event.dataset: "azure.signinlogs" and event.category: "authentication" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "azure.signinlogs.properties.user_principal_name", diff --git a/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml b/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml index 6ec411078..cb949f7b8 100644 --- a/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml +++ b/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/10" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,17 +94,17 @@ event.dataset: "azure.signinlogs" and event.category: "authentication" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" @@ -112,34 +112,44 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" + [[rule.threat.technique.subtechnique]] id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.new_terms] field = "new_terms_fields" value = [ diff --git a/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml b/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml index a80ea2d72..74b30ff9e 100644 --- a/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml +++ b/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -193,10 +193,12 @@ from logs-azure.signinlogs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" @@ -206,27 +208,44 @@ reference = "https://attack.mitre.org/techniques/T1078/004/" id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml b/rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml index 99d562c68..c44ae464c 100644 --- a/rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml +++ b/rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/02" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,22 +80,39 @@ event.dataset: "azure.signinlogs" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["azure.signinlogs.properties.user_principal_name"] diff --git a/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml b/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml index 4af77d21f..ffd21e012 100644 --- a/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml +++ b/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/21" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Willem D'Haese"] @@ -80,18 +80,31 @@ event.dataset: "azure.auditlogs" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1621" +name = "Multi-Factor Authentication Request Generation" +reference = "https://attack.mitre.org/techniques/T1621/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml b/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml index 53b7a1604..030a4b220 100644 --- a/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml +++ b/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/23" integration = ["azure"] maturity = "production" -updated_date = "2026/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -114,34 +114,52 @@ event.dataset: "azure.graphactivitylogs" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = [ diff --git a/rules/integrations/azure/ml_azure_rare_method_by_city.toml b/rules/integrations/azure/ml_azure_rare_method_by_city.toml index 84f94ffc5..cba37cb9c 100644 --- a/rules/integrations/azure/ml_azure_rare_method_by_city.toml +++ b/rules/integrations/azure/ml_azure_rare_method_by_city.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2025/12/08" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -93,11 +93,24 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -107,3 +120,26 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/azure/ml_azure_rare_method_by_country.toml b/rules/integrations/azure/ml_azure_rare_method_by_country.toml index bbaf64426..8ab7ffc66 100644 --- a/rules/integrations/azure/ml_azure_rare_method_by_country.toml +++ b/rules/integrations/azure/ml_azure_rare_method_by_country.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2025/12/08" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -92,11 +92,24 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -106,3 +119,8 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/azure/ml_azure_rare_method_by_user.toml b/rules/integrations/azure/ml_azure_rare_method_by_user.toml index 2dd9dacbf..712517153 100644 --- a/rules/integrations/azure/ml_azure_rare_method_by_user.toml +++ b/rules/integrations/azure/ml_azure_rare_method_by_user.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2025/12/08" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -91,11 +91,6 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -106,14 +101,14 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" @@ -124,9 +119,24 @@ id = "T1021.007" name = "Cloud Services" reference = "https://attack.mitre.org/techniques/T1021/007/" +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -135,13 +145,30 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - [[rule.threat.technique]] id = "T1041" name = "Exfiltration Over C2 Channel" reference = "https://attack.mitre.org/techniques/T1041/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/azure/persistence_entra_id_application_credential_modification.toml b/rules/integrations/azure/persistence_entra_id_application_credential_modification.toml index 4d0f23696..f52e088dc 100644 --- a/rules/integrations/azure/persistence_entra_id_application_credential_modification.toml +++ b/rules/integrations/azure/persistence_entra_id_application_credential_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,18 +87,36 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update applica [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml b/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml index a89c1fcdf..c4d989ec3 100644 --- a/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml +++ b/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,6 +92,7 @@ event.dataset: "azure.auditlogs" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" @@ -102,12 +103,28 @@ id = "T1556.009" name = "Conditional Access Policies" reference = "https://attack.mitre.org/techniques/T1556/009/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.009" +name = "Conditional Access Policies" +reference = "https://attack.mitre.org/techniques/T1556/009/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["azure.auditlogs.properties.initiated_by.user.userPrincipalName"] diff --git a/rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml b/rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml index 94d21dfa0..29ec1157e 100644 --- a/rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml +++ b/rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/06" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,19 +83,36 @@ event.dataset:azure.auditlogs and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml b/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml index 5729fb8ab..399321fc3 100644 --- a/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml +++ b/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2025/09/08" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,19 +86,54 @@ event.dataset: "azure.auditlogs" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [[rule.threat.technique.subtechnique]] id = "T1556.006" name = "Multi-Factor Authentication" reference = "https://attack.mitre.org/techniques/T1556/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml b/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml index 67622baed..ac59e69ab 100644 --- a/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml +++ b/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/24" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,18 +84,36 @@ event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManage [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml b/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml index 421b38cec..58d2f4e9d 100644 --- a/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml +++ b/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,30 +85,49 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role se [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml b/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml index b1eac4dbf..ec43155f2 100644 --- a/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml +++ b/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/24" integration = ["azure"] maturity = "production" -updated_date = "2025/12/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,43 +110,45 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.005" name = "Device Registration" reference = "https://attack.mitre.org/techniques/T1098/005/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -155,3 +157,20 @@ id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml b/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml index 39ea903de..d294fd521 100644 --- a/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml +++ b/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/05" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -81,6 +81,7 @@ event.dataset: "azure.auditlogs" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" @@ -91,13 +92,28 @@ id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = [ diff --git a/rules/integrations/azure/persistence_entra_id_service_principal_federated_issuer_modified.toml b/rules/integrations/azure/persistence_entra_id_service_principal_federated_issuer_modified.toml index fd409ec66..01c3be381 100644 --- a/rules/integrations/azure/persistence_entra_id_service_principal_federated_issuer_modified.toml +++ b/rules/integrations/azure/persistence_entra_id_service_principal_federated_issuer_modified.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_version = "9.2.0" min_stack_comments = "Changes in ECS added cloud.* fields which are not available prior to ^9.2.0" -updated_date = "2026/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,36 +91,54 @@ from logs-azure.auditlogs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique.subtechnique]] id = "T1484.002" name = "Trust Modification" reference = "https://attack.mitre.org/techniques/T1484/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[[rule.threat.technique.subtechnique]] +id = "T1484.002" +name = "Trust Modification" +reference = "https://attack.mitre.org/techniques/T1484/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/azure/persistence_entra_id_suspicious_adrs_token_request.toml b/rules/integrations/azure/persistence_entra_id_suspicious_adrs_token_request.toml index b1f8591e4..b61fccee5 100644 --- a/rules/integrations/azure/persistence_entra_id_suspicious_adrs_token_request.toml +++ b/rules/integrations/azure/persistence_entra_id_suspicious_adrs_token_request.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/13" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,19 +81,31 @@ event.dataset: "azure.signinlogs" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.005" name = "Device Registration" reference = "https://attack.mitre.org/techniques/T1098/005/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/azure/persistence_entra_id_suspicious_cloud_device_registration.toml b/rules/integrations/azure/persistence_entra_id_suspicious_cloud_device_registration.toml index e292a7a70..d3b95428b 100644 --- a/rules/integrations/azure/persistence_entra_id_suspicious_cloud_device_registration.toml +++ b/rules/integrations/azure/persistence_entra_id_suspicious_cloud_device_registration.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/13" integration = ["azure"] maturity = "production" -updated_date = "2026/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,19 +106,36 @@ sequence by azure.correlation_id with maxspan=5m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.005" name = "Device Registration" reference = "https://attack.mitre.org/techniques/T1098/005/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.005" +name = "Device Registration" +reference = "https://attack.mitre.org/techniques/T1098/005/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml index 0491e8e6a..dcc9cdf62 100644 --- a/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml +++ b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -68,26 +68,39 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to a [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml index 0d51d53ca..fd050eb7f 100644 --- a/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml +++ b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -73,23 +73,36 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml b/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml index ab26fc86d..f26e6c6a3 100644 --- a/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml +++ b/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/16" integration = ["azure"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -67,6 +67,7 @@ tags = [ "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Sign-in Logs", "Resources: Investigation Guide", + ] timestamp_override = "event.ingested" type = "new_terms" @@ -84,34 +85,35 @@ event.dataset: "azure.signinlogs" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.005" name = "Device Registration" reference = "https://attack.mitre.org/techniques/T1098/005/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" diff --git a/rules/integrations/azure/persistence_event_hub_created_or_updated.toml b/rules/integrations/azure/persistence_event_hub_created_or_updated.toml index 6cf845947..fc8d63fc4 100644 --- a/rules/integrations/azure/persistence_event_hub_created_or_updated.toml +++ b/rules/integrations/azure/persistence_event_hub_created_or_updated.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,30 +78,36 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.005" name = "Cloud Instance Metadata API" reference = "https://attack.mitre.org/techniques/T1552/005/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml b/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml index fa59f5be6..b0db08245 100644 --- a/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml +++ b/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/14" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -75,22 +75,39 @@ event.dataset: azure.graphactivitylogs and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [[rule.threat.technique.subtechnique]] id = "T1556.009" name = "Conditional Access Policies" reference = "https://attack.mitre.org/techniques/T1556/009/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.009" +name = "Conditional Access Policies" +reference = "https://attack.mitre.org/techniques/T1556/009/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["azure.graphactivitylogs.properties.user_principal_object_id"] diff --git a/rules/integrations/azure/persistence_identity_protect_alert_followed_by_device_reg.toml b/rules/integrations/azure/persistence_identity_protect_alert_followed_by_device_reg.toml index af9bc41d8..757b281be 100644 --- a/rules/integrations/azure/persistence_identity_protect_alert_followed_by_device_reg.toml +++ b/rules/integrations/azure/persistence_identity_protect_alert_followed_by_device_reg.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,6 +81,17 @@ sequence with maxspan=5m [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" @@ -91,16 +102,6 @@ id = "T1098.005" name = "Device Registration" reference = "https://attack.mitre.org/techniques/T1098/005/" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/integrations/azure/privilege_escalation_azure_rbac_administrator_roles_assigned.toml b/rules/integrations/azure/privilege_escalation_azure_rbac_administrator_roles_assigned.toml index de9b0f235..658060292 100644 --- a/rules/integrations/azure/privilege_escalation_azure_rbac_administrator_roles_assigned.toml +++ b/rules/integrations/azure/privilege_escalation_azure_rbac_administrator_roles_assigned.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/15" integration = ["azure"] maturity = "production" -updated_date = "2025/09/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -93,18 +93,36 @@ event.dataset: azure.activitylogs and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml b/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml index 0f07d5c90..fa9e622f4 100644 --- a/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml +++ b/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/22" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -90,22 +90,39 @@ event.dataset: azure.auditlogs [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["azure.auditlogs.properties.initiated_by.user.userPrincipalName"] diff --git a/rules/integrations/azure/privilege_escalation_entra_id_tenant_domain_federation_via_audit_logs.toml b/rules/integrations/azure/privilege_escalation_entra_id_tenant_domain_federation_via_audit_logs.toml index 158a7df67..86c734cab 100644 --- a/rules/integrations/azure/privilege_escalation_entra_id_tenant_domain_federation_via_audit_logs.toml +++ b/rules/integrations/azure/privilege_escalation_entra_id_tenant_domain_federation_via_audit_logs.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/03" integration = ["azure"] maturity = "production" -updated_date = "2026/03/25" +updated_date = "2026/03/30" [rule] author = ["Elastic"] @@ -95,35 +95,64 @@ event.dataset: azure.auditlogs [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique.subtechnique]] id = "T1484.002" name = "Trust Modification" reference = "https://attack.mitre.org/techniques/T1484/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.007" +name = "Hybrid Identity" +reference = "https://attack.mitre.org/techniques/T1556/007/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.007" +name = "Hybrid Identity" +reference = "https://attack.mitre.org/techniques/T1556/007/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml b/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml index eae2f416a..b400b2509 100644 --- a/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml +++ b/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/18" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Austin Songer"] @@ -82,30 +82,46 @@ event.outcome:(Success or success) [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.006" +name = "Additional Container Cluster Roles" +reference = "https://attack.mitre.org/techniques/T1098/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.006" +name = "Additional Container Cluster Roles" +reference = "https://attack.mitre.org/techniques/T1098/006/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/beaconing/command_and_control_beaconing.toml b/rules/integrations/beaconing/command_and_control_beaconing.toml index f89fe47c8..5b75f7628 100644 --- a/rules/integrations/beaconing/command_and_control_beaconing.toml +++ b/rules/integrations/beaconing/command_and_control_beaconing.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["beaconing", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,19 +95,23 @@ Statistical models analyze network traffic patterns to identify anomalies indica [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique]] id = "T1102" name = "Web Service" reference = "https://attack.mitre.org/techniques/T1102/" + [[rule.threat.technique.subtechnique]] id = "T1102.002" name = "Bidirectional Communication" reference = "https://attack.mitre.org/techniques/T1102/002/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml b/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml index 0fe0d4d73..26026a63b 100644 --- a/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml +++ b/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["beaconing", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -90,19 +90,23 @@ Statistical models analyze network traffic patterns to identify anomalies indica [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique]] id = "T1102" name = "Web Service" reference = "https://attack.mitre.org/techniques/T1102/" + [[rule.threat.technique.subtechnique]] id = "T1102.002" name = "Bidirectional Communication" reference = "https://attack.mitre.org/techniques/T1102/002/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml b/rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml index 98c2b0a4e..a49b73ed4 100644 --- a/rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml +++ b/rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -71,6 +71,11 @@ process.interactive == true and container.id like "?*" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/integrations/cloud_defend/command_and_control_interactive_file_download_from_internet.toml b/rules/integrations/cloud_defend/command_and_control_interactive_file_download_from_internet.toml index 5d448150e..eb6374efd 100644 --- a/rules/integrations/cloud_defend/command_and_control_interactive_file_download_from_internet.toml +++ b/rules/integrations/cloud_defend/command_and_control_interactive_file_download_from_internet.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,35 +95,40 @@ process where host.os.type == "linux" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" - [[rule.threat.technique]] - name = "Application Layer Protocol" - id = "T1071" - reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" - [[rule.threat.technique.subtechnique]] - name = "Web Protocols" - id = "T1071.001" - reference = "https://attack.mitre.org/techniques/T1071/001/" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/cloud_defend/command_and_control_tunneling_and_port_forwarding.toml b/rules/integrations/cloud_defend/command_and_control_tunneling_and_port_forwarding.toml index 0e1b024eb..5a9bac0b7 100644 --- a/rules/integrations/cloud_defend/command_and_control_tunneling_and_port_forwarding.toml +++ b/rules/integrations/cloud_defend/command_and_control_tunneling_and_port_forwarding.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -96,6 +96,11 @@ process where event.type == "start" and event.action == "exec" and ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/integrations/cloud_defend/credential_access_cloud_creds_search_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_cloud_creds_search_inside_a_container.toml index 66fa6456e..aeef03f2c 100644 --- a/rules/integrations/cloud_defend/credential_access_cloud_creds_search_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_cloud_creds_search_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,3 +94,16 @@ reference = "https://attack.mitre.org/techniques/T1552/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml index 67fbebdda..6bb349847 100644 --- a/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,6 +125,11 @@ reference = "https://attack.mitre.org/tactics/TA0006/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" diff --git a/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml index 6466f00e4..e7d2d276f 100644 --- a/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -115,7 +115,38 @@ id = "T1552.001" name = "Credentials In Files" reference = "https://attack.mitre.org/techniques/T1552/001/" +[[rule.threat.technique.subtechnique]] +id = "T1552.004" +name = "Private Keys" +reference = "https://attack.mitre.org/techniques/T1552/004/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/integrations/cloud_defend/credential_access_service_account_token_or_cert_read.toml b/rules/integrations/cloud_defend/credential_access_service_account_token_or_cert_read.toml index 1dc984715..52c57446c 100644 --- a/rules/integrations/cloud_defend/credential_access_service_account_token_or_cert_read.toml +++ b/rules/integrations/cloud_defend/credential_access_service_account_token_or_cert_read.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/06" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -115,3 +115,16 @@ reference = "https://attack.mitre.org/techniques/T1552/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/integrations/cloud_defend/defense_evasion_decoded_payload_piped_to_interpreter.toml b/rules/integrations/cloud_defend/defense_evasion_decoded_payload_piped_to_interpreter.toml index a3e3f9776..e44e85697 100644 --- a/rules/integrations/cloud_defend/defense_evasion_decoded_payload_piped_to_interpreter.toml +++ b/rules/integrations/cloud_defend/defense_evasion_decoded_payload_piped_to_interpreter.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -130,45 +130,60 @@ sequence by process.parent.entity_id, container.id with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" - [[rule.threat.technique]] - name = "Obfuscated Files or Information" - id = "T1027" - reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" - [[rule.threat.technique]] - name = "Deobfuscate/Decode Files or Information" - id = "T1140" - reference = "https://attack.mitre.org/techniques/T1140/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" - [[rule.threat.technique]] - name = "User Execution" - id = "T1204" - reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1059.011" +name = "Lua" +reference = "https://attack.mitre.org/techniques/T1059/011/" - [[rule.threat.technique.subtechnique]] - name = "Malicious File" - id = "T1204.002" - reference = "https://attack.mitre.org/techniques/T1204/002/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/cloud_defend/defense_evasion_file_creation_execution_deletion_cradle.toml b/rules/integrations/cloud_defend/defense_evasion_file_creation_execution_deletion_cradle.toml index 5da9a158d..fec72adfd 100644 --- a/rules/integrations/cloud_defend/defense_evasion_file_creation_execution_deletion_cradle.toml +++ b/rules/integrations/cloud_defend/defense_evasion_file_creation_execution_deletion_cradle.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -150,3 +150,16 @@ reference = "https://attack.mitre.org/techniques/T1204/002/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/integrations/cloud_defend/defense_evasion_interactive_process_execution_from_suspicious_directory.toml b/rules/integrations/cloud_defend/defense_evasion_interactive_process_execution_from_suspicious_directory.toml index 0538c4cd9..e03bdc70a 100644 --- a/rules/integrations/cloud_defend/defense_evasion_interactive_process_execution_from_suspicious_directory.toml +++ b/rules/integrations/cloud_defend/defense_evasion_interactive_process_execution_from_suspicious_directory.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -75,24 +75,29 @@ process where event.type == "start" and event.action == "exec" and process.inter [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Defense Evasion" -id = "TA0005" -reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" + +[[rule.threat.technique.subtechnique]] +id = "T1564.001" +name = "Hidden Files and Directories" +reference = "https://attack.mitre.org/techniques/T1564/001/" [[rule.threat.technique]] -name = "Reflective Code Loading" id = "T1620" +name = "Reflective Code Loading" reference = "https://attack.mitre.org/techniques/T1620/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -103,15 +108,20 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Command and Control" -id = "TA0011" -reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat.technique]] -name = "Application Layer Protocol" id = "T1071" +name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml b/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml index f84f1a58a..ad6767033 100644 --- a/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml +++ b/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,3 +99,39 @@ reference = "https://attack.mitre.org/techniques/T1574/006/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/cloud_defend/defense_evasion_potential_evasion_via_encoded_payload.toml b/rules/integrations/cloud_defend/defense_evasion_potential_evasion_via_encoded_payload.toml index 4168f4a71..d739ee6e2 100644 --- a/rules/integrations/cloud_defend/defense_evasion_potential_evasion_via_encoded_payload.toml +++ b/rules/integrations/cloud_defend/defense_evasion_potential_evasion_via_encoded_payload.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,6 +110,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + [[rule.threat.technique]] id = "T1204" name = "User Execution" diff --git a/rules/integrations/cloud_defend/discovery_dns_enumeration.toml b/rules/integrations/cloud_defend/discovery_dns_enumeration.toml index f09bad36a..a240e78a3 100644 --- a/rules/integrations/cloud_defend/discovery_dns_enumeration.toml +++ b/rules/integrations/cloud_defend/discovery_dns_enumeration.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -109,26 +109,31 @@ process.interactive == true and container.id like "*" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" [[rule.threat.technique]] -id = "T1613" -name = "Container and Resource Discovery" -reference = "https://attack.mitre.org/techniques/T1613/" - -[[rule.threat.technique]] -id = "T1016" -name = "System Network Configuration Discovery" -reference = "https://attack.mitre.org/techniques/T1016/" +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" [[rule.threat.technique]] id = "T1049" name = "System Network Connections Discovery" reference = "https://attack.mitre.org/techniques/T1049/" +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/integrations/cloud_defend/discovery_environment_enumeration.toml b/rules/integrations/cloud_defend/discovery_environment_enumeration.toml index f5cef44a7..05fdcbcc1 100644 --- a/rules/integrations/cloud_defend/discovery_environment_enumeration.toml +++ b/rules/integrations/cloud_defend/discovery_environment_enumeration.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -96,16 +96,16 @@ process.interactive == true and container.id like "*" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1613" -name = "Container and Resource Discovery" -reference = "https://attack.mitre.org/techniques/T1613/" - [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/integrations/cloud_defend/discovery_kubelet_certificate_file_access.toml b/rules/integrations/cloud_defend/discovery_kubelet_certificate_file_access.toml index 9a67f6171..91e58c858 100644 --- a/rules/integrations/cloud_defend/discovery_kubelet_certificate_file_access.toml +++ b/rules/integrations/cloud_defend/discovery_kubelet_certificate_file_access.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,3 +101,21 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.004" +name = "Private Keys" +reference = "https://attack.mitre.org/techniques/T1552/004/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/integrations/cloud_defend/discovery_kubelet_pod_discovery_via_builtin_utilities.toml b/rules/integrations/cloud_defend/discovery_kubelet_pod_discovery_via_builtin_utilities.toml index 9e8e35195..fc8c6d397 100644 --- a/rules/integrations/cloud_defend/discovery_kubelet_pod_discovery_via_builtin_utilities.toml +++ b/rules/integrations/cloud_defend/discovery_kubelet_pod_discovery_via_builtin_utilities.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/06" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,6 +86,11 @@ sequence by container.id, user.id with maxspan=5s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [[rule.threat.technique]] id = "T1613" name = "Container and Resource Discovery" diff --git a/rules/integrations/cloud_defend/discovery_privilege_boundary_enumeration_from_interactive_process.toml b/rules/integrations/cloud_defend/discovery_privilege_boundary_enumeration_from_interactive_process.toml index 81381ad38..ef16f2f9e 100644 --- a/rules/integrations/cloud_defend/discovery_privilege_boundary_enumeration_from_interactive_process.toml +++ b/rules/integrations/cloud_defend/discovery_privilege_boundary_enumeration_from_interactive_process.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/06" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,15 +94,20 @@ process where host.os.type == "linux" and event.type == "start" and event.action framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1613" -name = "Container and Resource Discovery" -reference = "https://attack.mitre.org/techniques/T1613/" +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/integrations/cloud_defend/discovery_service_account_namespace_read.toml b/rules/integrations/cloud_defend/discovery_service_account_namespace_read.toml index 5e447e222..10cc0ef66 100644 --- a/rules/integrations/cloud_defend/discovery_service_account_namespace_read.toml +++ b/rules/integrations/cloud_defend/discovery_service_account_namespace_read.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/06" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -96,17 +96,30 @@ any where host.os.type == "linux" and process.interactive == true and container. [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1613" -name = "Container and Resource Discovery" -reference = "https://attack.mitre.org/techniques/T1613/" - [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml b/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml index 6b685a4ac..55c1dcb39 100644 --- a/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -156,3 +156,16 @@ reference = "https://attack.mitre.org/techniques/T1595/" id = "TA0043" name = "Reconnaissance" reference = "https://attack.mitre.org/tactics/TA0043/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1040" +name = "Network Sniffing" +reference = "https://attack.mitre.org/techniques/T1040/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml b/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml index 6a1717f97..3ad1999ec 100644 --- a/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,3 +122,16 @@ reference = "https://attack.mitre.org/techniques/T1609/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/integrations/cloud_defend/execution_direct_interactive_kubernetes_api_request.toml b/rules/integrations/cloud_defend/execution_direct_interactive_kubernetes_api_request.toml index eca6ed471..2878c5eee 100644 --- a/rules/integrations/cloud_defend/execution_direct_interactive_kubernetes_api_request.toml +++ b/rules/integrations/cloud_defend/execution_direct_interactive_kubernetes_api_request.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -132,6 +132,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique]] +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -149,3 +154,21 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/integrations/cloud_defend/execution_interactive_file_creation_in_system_binary_locations.toml b/rules/integrations/cloud_defend/execution_interactive_file_creation_in_system_binary_locations.toml index aa6c4f5a4..545c68ed4 100644 --- a/rules/integrations/cloud_defend/execution_interactive_file_creation_in_system_binary_locations.toml +++ b/rules/integrations/cloud_defend/execution_interactive_file_creation_in_system_binary_locations.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/06" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,11 +78,6 @@ file.path like ( [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -93,23 +88,43 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Command and Control" -id = "TA0011" -reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat.technique]] -name = "Application Layer Protocol" id = "T1071" +name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + [rule.threat.tactic] -name = "Defense Evasion" id = "TA0005" +name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/cloud_defend/execution_kubeletctl_execution.toml b/rules/integrations/cloud_defend/execution_kubeletctl_execution.toml index 4d369ab69..1b2800b05 100644 --- a/rules/integrations/cloud_defend/execution_kubeletctl_execution.toml +++ b/rules/integrations/cloud_defend/execution_kubeletctl_execution.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -97,6 +97,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique]] +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml b/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml index 8c8ff3668..28586e1bc 100644 --- a/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,3 +125,34 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" + +[[rule.threat.technique.subtechnique]] +id = "T1048.003" +name = "Exfiltration Over Unencrypted Non-C2 Protocol" +reference = "https://attack.mitre.org/techniques/T1048/003/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/integrations/cloud_defend/execution_payload_downloaded_and_piped_to_shell.toml b/rules/integrations/cloud_defend/execution_payload_downloaded_and_piped_to_shell.toml index 929a3fbb9..de03d834e 100644 --- a/rules/integrations/cloud_defend/execution_payload_downloaded_and_piped_to_shell.toml +++ b/rules/integrations/cloud_defend/execution_payload_downloaded_and_piped_to_shell.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,11 +99,6 @@ sequence by process.parent.entity_id, container.id with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -114,23 +109,38 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" -[[rule.threat]] -framework = "MITRE ATT&CK" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" [rule.threat.tactic] -name = "Command and Control" -id = "TA0011" -reference = "https://attack.mitre.org/tactics/TA0011/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] -name = "Application Layer Protocol" id = "T1071" +name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" [rule.threat.tactic] -name = "Defense Evasion" id = "TA0005" +name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/cloud_defend/execution_potential_direct_kubelet_access_via_process_args.toml b/rules/integrations/cloud_defend/execution_potential_direct_kubelet_access_via_process_args.toml index 1e80e6c6c..579b60c02 100644 --- a/rules/integrations/cloud_defend/execution_potential_direct_kubelet_access_via_process_args.toml +++ b/rules/integrations/cloud_defend/execution_potential_direct_kubelet_access_via_process_args.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,3 +105,16 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/integrations/cloud_defend/execution_suspicious_file_made_executable_via_chmod_inside_a_container.toml b/rules/integrations/cloud_defend/execution_suspicious_file_made_executable_via_chmod_inside_a_container.toml index 064d6451f..67a56308d 100644 --- a/rules/integrations/cloud_defend/execution_suspicious_file_made_executable_via_chmod_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_suspicious_file_made_executable_via_chmod_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/26" +updated_date = "2026/03/30" [rule] author = ["Elastic"] @@ -122,3 +122,21 @@ reference = "https://attack.mitre.org/techniques/T1222/002/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/cloud_defend/execution_suspicious_interactive_interpreter_command_execution.toml b/rules/integrations/cloud_defend/execution_suspicious_interactive_interpreter_command_execution.toml index 674f35520..d677ad197 100644 --- a/rules/integrations/cloud_defend/execution_suspicious_interactive_interpreter_command_execution.toml +++ b/rules/integrations/cloud_defend/execution_suspicious_interactive_interpreter_command_execution.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -117,45 +117,63 @@ process.parent.executable != null and ( [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" - [[rule.threat.technique.subtechnique]] - name = "Python" - id = "T1059.006" - reference = "https://attack.mitre.org/techniques/T1059/006/" +[[rule.threat.technique.subtechnique]] +id = "T1059.011" +name = "Lua" +reference = "https://attack.mitre.org/techniques/T1059/011/" - [[rule.threat.technique.subtechnique]] - name = "Lua" - id = "T1059.011" - reference = "https://attack.mitre.org/techniques/T1059/011/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" - [[rule.threat.technique]] - name = "Application Layer Protocol" - id = "T1071" - reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" - [[rule.threat.technique.subtechnique]] - name = "Web Protocols" - id = "T1071.001" - reference = "https://attack.mitre.org/techniques/T1071/001/" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/cloud_defend/execution_tool_installation.toml b/rules/integrations/cloud_defend/execution_tool_installation.toml index ad87e6341..a5a4dec95 100644 --- a/rules/integrations/cloud_defend/execution_tool_installation.toml +++ b/rules/integrations/cloud_defend/execution_tool_installation.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -98,3 +98,16 @@ reference = "https://attack.mitre.org/techniques/T1072/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/integrations/cloud_defend/persistence_modification_of_persistence_relevant_files.toml b/rules/integrations/cloud_defend/persistence_modification_of_persistence_relevant_files.toml index f2710c97e..7bbd64a8f 100644 --- a/rules/integrations/cloud_defend/persistence_modification_of_persistence_relevant_files.toml +++ b/rules/integrations/cloud_defend/persistence_modification_of_persistence_relevant_files.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -116,24 +116,39 @@ not process.name in ("apt", "apt-get", "dnf", "microdnf", "yum", "zypper", "tdnf framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" +[[rule.threat.technique.subtechnique]] +id = "T1053.002" +name = "At" +reference = "https://attack.mitre.org/techniques/T1053/002/" + [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" +[[rule.threat.technique.subtechnique]] +id = "T1053.006" +name = "Systemd Timers" +reference = "https://attack.mitre.org/techniques/T1053/006/" + [[rule.threat.technique]] -id = "T1037" -name = "Boot or Logon Initialization Scripts" -reference = "https://attack.mitre.org/techniques/T1037/" +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.002" +name = "Systemd Service" +reference = "https://attack.mitre.org/techniques/T1543/002/" [[rule.threat.technique]] id = "T1546" @@ -153,21 +168,36 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" +[[rule.threat.technique.subtechnique]] +id = "T1053.002" +name = "At" +reference = "https://attack.mitre.org/techniques/T1053/002/" + [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" +[[rule.threat.technique.subtechnique]] +id = "T1053.006" +name = "Systemd Timers" +reference = "https://attack.mitre.org/techniques/T1053/006/" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.002" +name = "Systemd Service" +reference = "https://attack.mitre.org/techniques/T1543/002/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" @@ -191,11 +221,21 @@ id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" +[[rule.threat.technique.subtechnique]] +id = "T1053.002" +name = "At" +reference = "https://attack.mitre.org/techniques/T1053/002/" + [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" +[[rule.threat.technique.subtechnique]] +id = "T1053.006" +name = "Systemd Timers" +reference = "https://attack.mitre.org/techniques/T1053/006/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml b/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml index a177a3511..3da9b6ce3 100644 --- a/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml +++ b/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,3 +122,21 @@ reference = "https://attack.mitre.org/techniques/T1563/001/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.004" +name = "SSH Authorized Keys" +reference = "https://attack.mitre.org/techniques/T1098/004/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/cloud_defend/persistence_suspicious_echo_or_printf_execution.toml b/rules/integrations/cloud_defend/persistence_suspicious_echo_or_printf_execution.toml index 4e79c7957..92639f5d1 100644 --- a/rules/integrations/cloud_defend/persistence_suspicious_echo_or_printf_execution.toml +++ b/rules/integrations/cloud_defend/persistence_suspicious_echo_or_printf_execution.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,9 +86,9 @@ process.args like ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" [[rule.threat.technique]] id = "T1053" @@ -101,9 +101,24 @@ name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" [[rule.threat.technique]] -id = "T1037" -name = "Boot or Logon Initialization Scripts" -reference = "https://attack.mitre.org/techniques/T1037/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.004" +name = "SSH Authorized Keys" +reference = "https://attack.mitre.org/techniques/T1098/004/" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.004" +name = "Launch Daemon" +reference = "https://attack.mitre.org/techniques/T1543/004/" [[rule.threat.technique]] id = "T1546" @@ -115,6 +130,16 @@ id = "T1546.004" name = "Unix Shell Configuration Modification" reference = "https://attack.mitre.org/techniques/T1546/004/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -123,11 +148,6 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" @@ -138,6 +158,46 @@ id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.004" +name = "SSH Authorized Keys" +reference = "https://attack.mitre.org/techniques/T1098/004/" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.004" +name = "Launch Daemon" +reference = "https://attack.mitre.org/techniques/T1543/004/" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" @@ -156,7 +216,30 @@ id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/cloud_defend/persistence_suspicious_webserver_child_process_execution.toml b/rules/integrations/cloud_defend/persistence_suspicious_webserver_child_process_execution.toml index eb31c917b..66be4c56c 100644 --- a/rules/integrations/cloud_defend/persistence_suspicious_webserver_child_process_execution.toml +++ b/rules/integrations/cloud_defend/persistence_suspicious_webserver_child_process_execution.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -237,11 +237,6 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Persistence" -id = "TA0003" -reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat.technique]] id = "T1505" name = "Server Software Component" @@ -252,14 +247,14 @@ id = "T1505.003" name = "Web Shell" reference = "https://attack.mitre.org/techniques/T1505/003/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -270,15 +265,61 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Command and Control" -id = "TA0011" -reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" [[rule.threat.technique]] -name = "Application Layer Protocol" -id = "T1071" -reference = "https://attack.mitre.org/techniques/T1071/" +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml b/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml index de958bb3b..8bc0dec00 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml +++ b/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,3 +108,16 @@ reference = "https://attack.mitre.org/techniques/T1611/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1006" +name = "Direct Volume Access" +reference = "https://attack.mitre.org/techniques/T1006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml index 1542c1df4..4b4422d68 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml +++ b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,3 +91,16 @@ reference = "https://attack.mitre.org/techniques/T1611/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml index ae9278783..5b7dd0fa5 100644 --- a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml +++ b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml @@ -3,7 +3,7 @@ creation_date = "2021/06/23" integration = ["cyberarkpas"] maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -53,16 +53,17 @@ event.dataset:cyberarkpas.audit and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -71,3 +72,28 @@ id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1555" +name = "Credentials from Password Stores" +reference = "https://attack.mitre.org/techniques/T1555/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml index cd93d2712..78a1259f5 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -89,14 +89,26 @@ Machine learning models analyze network traffic to identify anomalies, such as d - Implement enhanced monitoring on the affected system and network segment to detect any further suspicious activity.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1041" name = "Exfiltration Over C2 Channel" reference = "https://attack.mitre.org/techniques/T1041/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1571" +name = "Non-Standard Port" +reference = "https://attack.mitre.org/techniques/T1571/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml index 8e885a4b2..8b7205dff 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -89,14 +89,18 @@ The detection rule leverages machine learning to identify anomalies in data tran - Consider deploying endpoint detection and response (EDR) solutions to enhance visibility and control over data movements to external devices.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1052" name = "Exfiltration Over Physical Medium" reference = "https://attack.mitre.org/techniques/T1052/" +[[rule.threat.technique.subtechnique]] +id = "T1052.001" +name = "Exfiltration over USB" +reference = "https://attack.mitre.org/techniques/T1052/001/" [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml index a69cb0486..efabd6323 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -90,14 +90,18 @@ Airdrop facilitates seamless file sharing between Apple devices, leveraging Blue - Update security policies and controls to restrict Airdrop usage to only trusted devices and networks, reducing the risk of future unauthorized data transfers.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1011" name = "Exfiltration Over Other Network Medium" reference = "https://attack.mitre.org/techniques/T1011/" +[[rule.threat.technique.subtechnique]] +id = "T1011.001" +name = "Exfiltration Over Bluetooth" +reference = "https://attack.mitre.org/techniques/T1011/001/" [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - diff --git a/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml b/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml index d0c800d51..f4de893c2 100644 --- a/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml +++ b/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -89,14 +89,18 @@ In modern environments, processes may write data to external devices for legitim - Update security policies and controls to prevent similar exfiltration attempts, such as restricting process permissions to write to external devices and enhancing endpoint protection measures.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1052" name = "Exfiltration Over Physical Medium" reference = "https://attack.mitre.org/techniques/T1052/" +[[rule.threat.technique.subtechnique]] +id = "T1052.001" +name = "Exfiltration over USB" +reference = "https://attack.mitre.org/techniques/T1052/001/" [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - diff --git a/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml b/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml index 4754264f3..c73adc011 100644 --- a/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml +++ b/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/14" integration = ["dga", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/04/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,19 +99,28 @@ Domain Generation Algorithms (DGAs) are used by adversaries to dynamically gener [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.004" +name = "DNS" +reference = "https://attack.mitre.org/techniques/T1071/004/" + [[rule.threat.technique]] id = "T1568" name = "Dynamic Resolution" reference = "https://attack.mitre.org/techniques/T1568/" + [[rule.threat.technique.subtechnique]] id = "T1568.002" name = "Domain Generation Algorithms" reference = "https://attack.mitre.org/techniques/T1568/002/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml b/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml index afcf159fa..e02a63c65 100644 --- a/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml +++ b/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/14" integration = ["dga", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] anomaly_threshold = 70 @@ -96,14 +96,28 @@ Domain Generation Algorithms (DGAs) are used by malware to dynamically generate - Escalate to incident response team: If the threat is confirmed and widespread, escalate the incident to the organization's incident response team for further investigation and coordinated response efforts.""" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.004" +name = "DNS" +reference = "https://attack.mitre.org/techniques/T1071/004/" + [[rule.threat.technique]] id = "T1568" name = "Dynamic Resolution" reference = "https://attack.mitre.org/techniques/T1568/" +[[rule.threat.technique.subtechnique]] +id = "T1568.002" +name = "Domain Generation Algorithms" +reference = "https://attack.mitre.org/techniques/T1568/002/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml b/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml index 1e9fe0424..1779d62bc 100644 --- a/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml +++ b/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/14" integration = ["dga", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -98,19 +98,28 @@ Machine learning models analyze DNS requests to identify patterns indicative of [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.004" +name = "DNS" +reference = "https://attack.mitre.org/techniques/T1071/004/" + [[rule.threat.technique]] id = "T1568" name = "Dynamic Resolution" reference = "https://attack.mitre.org/techniques/T1568/" + [[rule.threat.technique.subtechnique]] id = "T1568.002" name = "Domain Generation Algorithms" reference = "https://attack.mitre.org/techniques/T1568/002/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml b/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml index 4f2e1f35a..8db1349b6 100644 --- a/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml +++ b/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/14" integration = ["dga", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,19 +99,28 @@ Machine learning models can identify patterns in DNS requests that suggest the u [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.004" +name = "DNS" +reference = "https://attack.mitre.org/techniques/T1071/004/" + [[rule.threat.technique]] id = "T1568" name = "Dynamic Resolution" reference = "https://attack.mitre.org/techniques/T1568/" + [[rule.threat.technique.subtechnique]] id = "T1568.002" name = "Domain Generation Algorithms" reference = "https://attack.mitre.org/techniques/T1568/002/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/integrations/fim/persistence_suspicious_file_modifications.toml b/rules/integrations/fim/persistence_suspicious_file_modifications.toml index 4ef9a4594..c1132aad5 100644 --- a/rules/integrations/fim/persistence_suspicious_file_modifications.toml +++ b/rules/integrations/fim/persistence_suspicious_file_modifications.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/03" integration = ["fim"] maturity = "production" -updated_date = "2025/12/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -220,14 +220,24 @@ name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" [[rule.threat.technique]] -id = "T1547" -name = "Boot or Logon Autostart Execution" -reference = "https://attack.mitre.org/techniques/T1547/" +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" [[rule.threat.technique.subtechnique]] -id = "T1547.006" -name = "Kernel Modules and Extensions" -reference = "https://attack.mitre.org/techniques/T1547/006/" +id = "T1053.002" +name = "At" +reference = "https://attack.mitre.org/techniques/T1053/002/" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.004" +name = "SSH Authorized Keys" +reference = "https://attack.mitre.org/techniques/T1098/004/" [[rule.threat.technique]] id = "T1136" @@ -249,6 +259,36 @@ id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.004" +name = "Unix Shell Configuration Modification" +reference = "https://attack.mitre.org/techniques/T1546/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.017" +name = "Udev Rules" +reference = "https://attack.mitre.org/techniques/T1546/017/" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.013" +name = "XDG Autostart Entries" +reference = "https://attack.mitre.org/techniques/T1547/013/" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml index 2ade101b0..33faa5567 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/23" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,14 +81,18 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubsc [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1119" +name = "Automated Collection" +reference = "https://attack.mitre.org/techniques/T1119/" + [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml index 2f2e473a3..0473d5f4f 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/23" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,14 +84,26 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1651" +name = "Cloud Administration Command" +reference = "https://attack.mitre.org/techniques/T1651/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml index 6999cef97..9d21843dd 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,14 +87,18 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.a [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml index 6ac6b9d00..d6c9d4f6b 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,14 +84,18 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.a [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml index 3afdc0d90..3e4fed740 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,14 +87,18 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.ap [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml index 0959ed9e3..8f5b62bc2 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,14 +84,18 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml index 36bd43f1c..e31c93cdc 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/18" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,14 +81,18 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml index b232902cc..e3ee14773 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/23" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,14 +82,26 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubsc [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml index 01e2afac0..3a37cf5dd 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/18" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,14 +83,26 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml index d518d9a46..57cc51606 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,14 +82,18 @@ event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outc [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1578" name = "Modify Cloud Compute Infrastructure" reference = "https://attack.mitre.org/techniques/T1578/" +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml index 66e674242..b73908983 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,14 +82,49 @@ event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.o [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1222" name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml index 49efa174d..53b59b684 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,19 +82,31 @@ event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.ou [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml index 8ae59e517..2c3215cd6 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,19 +83,28 @@ event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.comp [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml index 2dbfe20df..535b01be8 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,19 +83,28 @@ event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outc [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml index cff4a666a..54b9bf8b3 100644 --- a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml +++ b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,14 +84,31 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Updat [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1537" name = "Transfer Data to Cloud Account" reference = "https://attack.mitre.org/techniques/T1537/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml index d26fdfad9..062541f23 100644 --- a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml +++ b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,26 +82,54 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and even [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml b/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml index 6ba99513f..5b663d18f 100644 --- a/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml +++ b/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2025/11/21" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -63,11 +63,24 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -77,3 +90,8 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml b/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml index c15173175..406d9c424 100644 --- a/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml +++ b/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2025/11/21" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -63,11 +63,24 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -77,3 +90,26 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml b/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml index 0474776c3..871858777 100644 --- a/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml +++ b/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2025/11/21" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -62,11 +62,6 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -77,14 +72,14 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" @@ -95,9 +90,24 @@ id = "T1021.007" name = "Cloud Services" reference = "https://attack.mitre.org/techniques/T1021/007/" +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -106,12 +116,30 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1041" -name = "Exfiltration Over C2 Channel" -reference = "https://attack.mitre.org/techniques/T1041/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml index 606013200..6d3e2886d 100644 --- a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml +++ b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,14 +86,26 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1531" +name = "Account Access Removal" +reference = "https://attack.mitre.org/techniques/T1531/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml index 84d9cc827..c4c1bd548 100644 --- a/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml +++ b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,14 +87,18 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/gcp/persistence_gcp_service_account_created.toml b/rules/integrations/gcp/persistence_gcp_service_account_created.toml index 64c798841..176344f20 100644 --- a/rules/integrations/gcp/persistence_gcp_service_account_created.toml +++ b/rules/integrations/gcp/persistence_gcp_service_account_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,14 +83,18 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" +[[rule.threat.technique.subtechnique]] +id = "T1136.003" +name = "Cloud Account" +reference = "https://attack.mitre.org/techniques/T1136/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/github/execution_github_app_deleted.toml b/rules/integrations/github/execution_github_app_deleted.toml index 5bf9ba190..f480ad701 100644 --- a/rules/integrations/github/execution_github_app_deleted.toml +++ b/rules/integrations/github/execution_github_app_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -67,14 +67,31 @@ configuration where event.dataset == "github.audit" and github.category == "inte [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1648" name = "Serverless Execution" reference = "https://attack.mitre.org/techniques/T1648/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml b/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml index 723fabe54..09f3929e3 100644 --- a/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml +++ b/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -72,17 +72,34 @@ github.repository_public:false [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1648" name = "Serverless Execution" reference = "https://attack.mitre.org/techniques/T1648/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[[rule.threat.technique.subtechnique]] +id = "T1213.003" +name = "Code Repositories" +reference = "https://attack.mitre.org/techniques/T1213/003/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.threshold] field = ["github.hashed_token"] value = 1 diff --git a/rules/integrations/github/execution_new_github_app_installed.toml b/rules/integrations/github/execution_new_github_app_installed.toml index d7a9a7fb6..d7660e1b6 100644 --- a/rules/integrations/github/execution_new_github_app_installed.toml +++ b/rules/integrations/github/execution_new_github_app_installed.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["github"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -72,14 +72,39 @@ configuration where event.dataset == "github.audit" and event.action == "integra [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1072" name = "Software Deployment Tools" reference = "https://attack.mitre.org/techniques/T1072/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1199" +name = "Trusted Relationship" +reference = "https://attack.mitre.org/techniques/T1199/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/github/exfiltration_high_number_of_cloning_by_user.toml b/rules/integrations/github/exfiltration_high_number_of_cloning_by_user.toml index b0f024d3a..3832a1524 100644 --- a/rules/integrations/github/exfiltration_high_number_of_cloning_by_user.toml +++ b/rules/integrations/github/exfiltration_high_number_of_cloning_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/16" integration = ["github"] maturity = "production" -updated_date = "2026/01/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -109,3 +109,21 @@ reference = "https://attack.mitre.org/techniques/T1567/001/" id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[[rule.threat.technique.subtechnique]] +id = "T1213.003" +name = "Code Repositories" +reference = "https://attack.mitre.org/techniques/T1213/003/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/integrations/github/impact_github_repository_activity_from_unusual_ip.toml b/rules/integrations/github/impact_github_repository_activity_from_unusual_ip.toml index 46b687e9f..f93858e67 100644 --- a/rules/integrations/github/impact_github_repository_activity_from_unusual_ip.toml +++ b/rules/integrations/github/impact_github_repository_activity_from_unusual_ip.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/16" integration = ["github"] maturity = "production" -updated_date = "2025/12/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -50,6 +50,16 @@ reference = "https://attack.mitre.org/tactics/TA0040/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" @@ -78,6 +88,23 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[[rule.threat.technique.subtechnique]] +id = "T1213.003" +name = "Code Repositories" +reference = "https://attack.mitre.org/techniques/T1213/003/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.new_terms] field = "new_terms_fields" value = ["source.ip", "github.repo"] diff --git a/rules/integrations/github/impact_high_number_of_closed_pull_requests_by_user.toml b/rules/integrations/github/impact_high_number_of_closed_pull_requests_by_user.toml index 56e1f025d..ce69ec2c8 100644 --- a/rules/integrations/github/impact_high_number_of_closed_pull_requests_by_user.toml +++ b/rules/integrations/github/impact_high_number_of_closed_pull_requests_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/16" integration = ["github"] maturity = "production" -updated_date = "2026/01/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -98,6 +98,16 @@ id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique]] +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" + +[[rule.threat.technique.subtechnique]] +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" + [rule.threat.tactic] id = "TA0040" name = "Impact" diff --git a/rules/integrations/github/impact_high_number_of_failed_protected_branch_force_pushes_by_user.toml b/rules/integrations/github/impact_high_number_of_failed_protected_branch_force_pushes_by_user.toml index 3273c4e20..f7975e321 100644 --- a/rules/integrations/github/impact_high_number_of_failed_protected_branch_force_pushes_by_user.toml +++ b/rules/integrations/github/impact_high_number_of_failed_protected_branch_force_pushes_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/16" integration = ["github"] maturity = "production" -updated_date = "2026/01/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,6 +99,16 @@ id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique]] +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" + +[[rule.threat.technique.subtechnique]] +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" + [rule.threat.tactic] id = "TA0040" name = "Impact" diff --git a/rules/integrations/github/impact_high_number_of_protected_branch_force_pushes_by_user.toml b/rules/integrations/github/impact_high_number_of_protected_branch_force_pushes_by_user.toml index 46a8c27fb..db556bfbf 100644 --- a/rules/integrations/github/impact_high_number_of_protected_branch_force_pushes_by_user.toml +++ b/rules/integrations/github/impact_high_number_of_protected_branch_force_pushes_by_user.toml @@ -4,7 +4,7 @@ integration = ["github"] maturity = "production" min_stack_comments = "mv_contains ES|QL function only available post 9.2 in tech preview" min_stack_version = "9.2.0" -updated_date = "2026/01/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,6 +103,16 @@ id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique]] +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" + +[[rule.threat.technique.subtechnique]] +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" + [rule.threat.tactic] id = "TA0040" name = "Impact" diff --git a/rules/integrations/github/initial_access_github_actions_bot_first_push_to_repo.toml b/rules/integrations/github/initial_access_github_actions_bot_first_push_to_repo.toml index 59d99cbea..dd4d72e5c 100644 --- a/rules/integrations/github/initial_access_github_actions_bot_first_push_to_repo.toml +++ b/rules/integrations/github/initial_access_github_actions_bot_first_push_to_repo.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/09" integration = ["github"] maturity = "production" -updated_date = "2025/12/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,10 +84,12 @@ event.dataset: "github.audit" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" + [[rule.threat.technique.subtechnique]] id = "T1195.002" name = "Compromise Software Supply Chain" @@ -100,6 +102,7 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -110,6 +113,23 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" + +[[rule.threat.technique.subtechnique]] +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" [rule.new_terms] field = "new_terms_fields" value = ["github.org_id", "github.repo"] diff --git a/rules/integrations/github/initial_access_github_actions_workflow_injection_blocked.toml b/rules/integrations/github/initial_access_github_actions_workflow_injection_blocked.toml index 15f2ba57b..80af6816d 100644 --- a/rules/integrations/github/initial_access_github_actions_workflow_injection_blocked.toml +++ b/rules/integrations/github/initial_access_github_actions_workflow_injection_blocked.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/05" integration = ["github"] maturity = "production" -updated_date = "2025/12/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,23 +84,30 @@ from logs-github.audit-* metadata _id, _index, _version [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" + +[[rule.threat.technique.subtechnique]] +id = "T1195.001" +name = "Compromise Software Dependencies and Development Tools" +reference = "https://attack.mitre.org/techniques/T1195/001/" + [[rule.threat.technique.subtechnique]] id = "T1195.002" name = "Compromise Software Supply Chain" reference = "https://attack.mitre.org/techniques/T1195/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -113,12 +120,12 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml b/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml index 5b6539b91..6cb779a03 100644 --- a/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml +++ b/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/28" integration = ["github"] maturity = "production" -updated_date = "2025/12/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -73,23 +73,26 @@ event.dataset:"github.audit" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" + +[[rule.threat.technique.subtechnique]] +id = "T1195.001" +name = "Compromise Software Dependencies and Development Tools" +reference = "https://attack.mitre.org/techniques/T1195/001/" + [[rule.threat.technique.subtechnique]] id = "T1195.002" name = "Compromise Software Supply Chain" reference = "https://attack.mitre.org/techniques/T1195/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - - [rule.new_terms] field = "new_terms_fields" value = ["user.name", "github.actor_ip"] diff --git a/rules/integrations/github/persistence_github_org_owner_added.toml b/rules/integrations/github/persistence_github_org_owner_added.toml index 6ebccba29..ab17df05e 100644 --- a/rules/integrations/github/persistence_github_org_owner_added.toml +++ b/rules/integrations/github/persistence_github_org_owner_added.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/11" integration = ["github"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -72,19 +72,46 @@ iam where event.dataset == "github.audit" and event.action == "org.add_member" a [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" + [[rule.threat.technique.subtechnique]] id = "T1136.003" name = "Cloud Account" reference = "https://attack.mitre.org/techniques/T1136/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/github/persistence_new_pat_created.toml b/rules/integrations/github/persistence_new_pat_created.toml index ff972644a..ca627a7c4 100644 --- a/rules/integrations/github/persistence_new_pat_created.toml +++ b/rules/integrations/github/persistence_new_pat_created.toml @@ -2,7 +2,7 @@ creation_date = "2023/12/16" integration = ["github"] maturity = "production" -updated_date = "2026/01/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -72,6 +72,16 @@ github.category == "personal_access_token" and event.action == "personal_access_ [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + [[rule.threat.technique]] id = "T1136" name = "Create Account" diff --git a/rules/integrations/github/persistence_organization_owner_role_granted.toml b/rules/integrations/github/persistence_organization_owner_role_granted.toml index c8b2b1f0f..b43529671 100644 --- a/rules/integrations/github/persistence_organization_owner_role_granted.toml +++ b/rules/integrations/github/persistence_organization_owner_role_granted.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/11" integration = ["github"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -70,19 +70,36 @@ iam where event.dataset == "github.audit" and event.action == "org.update_member [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml b/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml index 8b50df9d3..7cab15de6 100644 --- a/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml +++ b/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/24" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,19 +101,31 @@ event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_RE [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1074" name = "Data Staged" reference = "https://attack.mitre.org/techniques/T1074/" + [[rule.threat.technique.subtechnique]] id = "T1074.002" name = "Remote Data Staging" reference = "https://attack.mitre.org/techniques/T1074/002/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1537" +name = "Transfer Data to Cloud Account" +reference = "https://attack.mitre.org/techniques/T1537/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml b/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml index 361389721..464366aa8 100644 --- a/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml +++ b/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/21" integration = ["google_workspace"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,19 +102,31 @@ file where event.dataset == "google_workspace.drive" and event.action : ("copy", [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.004" name = "Private Keys" reference = "https://attack.mitre.org/techniques/T1552/004/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1530" +name = "Data from Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1530/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml b/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml index ba8f4a4f7..6306e9be4 100644 --- a/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml +++ b/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/25" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,19 +107,23 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml b/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml index 50b9fd776..987573a35 100644 --- a/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml +++ b/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,19 +99,28 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[[rule.threat.technique.subtechnique]] +id = "T1484.002" +name = "Trust Modification" +reference = "https://attack.mitre.org/techniques/T1484/002/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml b/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml index 3da71e49a..c6a45f868 100644 --- a/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml +++ b/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/06" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,19 +100,23 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml b/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml index dbe8480ee..625a14b96 100644 --- a/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml +++ b/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/30" integration = ["google_workspace"] maturity = "production" -updated_date = "2025/02/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -90,39 +90,57 @@ google_workspace.token.scope.data: *Login and google_workspace.token.client.id: [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["google_workspace.token.client.id"] diff --git a/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml b/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml index 09ecde61c..2b52d566d 100644 --- a/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml +++ b/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/25" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,19 +108,23 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml b/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml index b55c25913..6ca7e8646 100644 --- a/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml +++ b/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,14 +99,26 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1531" name = "Account Access Removal" reference = "https://attack.mitre.org/techniques/T1531/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml index 5c62a0f8b..25db10203 100644 --- a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml +++ b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,14 +103,49 @@ event.dataset:google_workspace.admin and event.provider:admin [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1531" name = "Account Access Removal" reference = "https://attack.mitre.org/techniques/T1531/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml b/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml index 9da5f0902..9ae1d29e3 100644 --- a/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml +++ b/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/16" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,19 +104,31 @@ iam where event.dataset == "google_workspace.admin" and event.action == "ADD_GRO [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml b/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml index e3a60da3c..1b4990aa4 100644 --- a/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml +++ b/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,19 +94,41 @@ event.dataset:google_workspace.admin and event.category:iam and event.action:UNS [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml b/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml index 46a1d328e..afa271c9b 100644 --- a/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml +++ b/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/07" integration = ["google_workspace"] maturity = "production" -updated_date = "2025/02/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -116,19 +116,54 @@ sequence by source.user.email with maxspan=3m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.001" +name = "Malicious Link" +reference = "https://attack.mitre.org/techniques/T1204/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml b/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml index 90cf5ef9b..88bf490d5 100644 --- a/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml +++ b/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,8 +104,17 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml b/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml index 4647fb4ae..5e354b05b 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/26" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,14 +103,39 @@ event.dataset:"google_workspace.login" and event.action:"2sv_disable" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml index a23661911..6d63f4458 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,19 +107,36 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.action [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml b/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml index 2a59b14ea..0783b41bd 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/12" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,14 +104,26 @@ event.dataset:google_workspace.admin [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml index 643c9d27e..6ccf74de9 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,14 +104,36 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml index 986aac4bd..479e37fcf 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -111,14 +111,26 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml index 040e19fdd..57d821e33 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,14 +106,26 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml b/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml index cb0bc8fec..5d52d7026 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/06" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,19 +106,36 @@ event.dataset:"google_workspace.admin" and event.type:change and event.category: [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml index 8bc3d0512..b86f191f0 100644 --- a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml +++ b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,14 +100,26 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/kubernetes/credential_access_azure_arc_proxy_secret_configmap_access.toml b/rules/integrations/kubernetes/credential_access_azure_arc_proxy_secret_configmap_access.toml index 0a6f1a129..5bfd274a2 100644 --- a/rules/integrations/kubernetes/credential_access_azure_arc_proxy_secret_configmap_access.toml +++ b/rules/integrations/kubernetes/credential_access_azure_arc_proxy_secret_configmap_access.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/10" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -111,31 +111,54 @@ FROM logs-kubernetes.audit_logs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.007" name = "Container API" reference = "https://attack.mitre.org/techniques/T1552/007/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" + +[[rule.threat.technique.subtechnique]] +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/integrations/kubernetes/discovery_denied_service_account_request.toml b/rules/integrations/kubernetes/discovery_denied_service_account_request.toml index 7e2e71654..d2956e2aa 100644 --- a/rules/integrations/kubernetes/discovery_denied_service_account_request.toml +++ b/rules/integrations/kubernetes/discovery_denied_service_account_request.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/13" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/discovery_endpoint_permission_enumeration_by_anonymous_user.toml b/rules/integrations/kubernetes/discovery_endpoint_permission_enumeration_by_anonymous_user.toml index a8929be63..78095ce33 100644 --- a/rules/integrations/kubernetes/discovery_endpoint_permission_enumeration_by_anonymous_user.toml +++ b/rules/integrations/kubernetes/discovery_endpoint_permission_enumeration_by_anonymous_user.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/02" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -137,3 +137,21 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" + +[[rule.threat.technique.subtechnique]] +id = "T1595.003" +name = "Wordlist Scanning" +reference = "https://attack.mitre.org/techniques/T1595/003/" + +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" diff --git a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml index 359940c58..8d281cecb 100644 --- a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml +++ b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml @@ -2,7 +2,7 @@ creation_date = "2022/06/30" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,6 +91,16 @@ kubernetes.audit.objectRef.resource:("selfsubjectaccessreviews" or "selfsubjectr [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + +[[rule.threat.technique.subtechnique]] +id = "T1069.003" +name = "Cloud Groups" +reference = "https://attack.mitre.org/techniques/T1069/003/" + [[rule.threat.technique]] id = "T1613" name = "Container and Resource Discovery" @@ -100,7 +110,6 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.new_terms] field = "new_terms_fields" value = ["user_agent.original"] diff --git a/rules/integrations/kubernetes/execution_anonymous_create_update_patch_pod_request.toml b/rules/integrations/kubernetes/execution_anonymous_create_update_patch_pod_request.toml index 25df5e788..0a7e58df7 100644 --- a/rules/integrations/kubernetes/execution_anonymous_create_update_patch_pod_request.toml +++ b/rules/integrations/kubernetes/execution_anonymous_create_update_patch_pod_request.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/02" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -40,6 +40,11 @@ kubernetes.audit.objectRef.resource == "pods" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/integrations/kubernetes/execution_forbidden_creation_request.toml b/rules/integrations/kubernetes/execution_forbidden_creation_request.toml index 19a1619b8..3d7530a10 100644 --- a/rules/integrations/kubernetes/execution_forbidden_creation_request.toml +++ b/rules/integrations/kubernetes/execution_forbidden_creation_request.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/24" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/01/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,3 +78,4 @@ framework = "MITRE ATT&CK" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml b/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml index b6fa7170c..3ee8f23c9 100644 --- a/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml +++ b/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/17" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -79,6 +79,18 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["user_agent.original"] diff --git a/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml b/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml index 1dcd69850..da9b80ada 100644 --- a/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml +++ b/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/18" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,6 +84,31 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["kubernetes.audit.annotations.authorization_k8s_io/decision", "kubernetes.audit.user.username", "user_agent.original"] diff --git a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml index a850dfd20..1ac77ed68 100644 --- a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml +++ b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/13" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml index 229f67132..f19fb4cd1 100644 --- a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml +++ b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2025/06/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,14 +91,26 @@ event.dataset : "kubernetes.audit_logs" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1133" name = "External Remote Services" reference = "https://attack.mitre.org/techniques/T1133/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml b/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml index ec7881b35..3a035b3ef 100644 --- a/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml +++ b/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/20" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,3 +106,16 @@ reference = "https://attack.mitre.org/techniques/T1610/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml index 15f42caaf..abd158abb 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml index f68d1d287..dad214db7 100644 --- a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml +++ b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml b/rules/integrations/kubernetes/privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml index 550d4cdd4..a2d144b30 100644 --- a/rules/integrations/kubernetes/privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml +++ b/rules/integrations/kubernetes/privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/04" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -36,16 +36,16 @@ This rule detects when a user grants or broadens high-risk permissions in a Role ### False positive analysis -- A platform engineer performing an urgent, legitimate RBAC adjustment (e.g., expanding a Role/ClusterRole for a new feature rollout) and then immediately patching or deploying a DaemonSet/Deployment/CronJob as part of the same change window can match this sequence. +- A platform engineer performing an urgent, legitimate RBAC adjustment (e.g., expanding a Role/ClusterRole for a new feature rollout) and then immediately patching or deploying a DaemonSet/Deployment/CronJob as part of the same change window can match this sequence. - A CI/CD pipeline or GitOps-style workflow using a non-system:masters identity may update RBAC manifests and then apply workload updates within minutes during routine releases, producing this pattern without malicious intent. ### Response and remediation -- Immediately revoke or roll back the risky Role/ClusterRole changes and remove any new/updated RoleBinding/ClusterRoleBinding that ties the elevated permissions to the triggering user or service account. -- Quarantine the modified Deployment/DaemonSet/CronJob by scaling it to zero or deleting it and cordon/drain affected nodes if pods ran privileged, used hostPath mounts, or executed on many nodes. -- Rotate credentials and access paths exposed through the workload (service account tokens, kubeconfig files, mounted secrets, cloud keys) and invalidate any newly issued tokens tied to the actor. -- For eradication and recovery, redeploy workloads from trusted Git/registry sources, block the suspicious images/digests in admission controls, and verify no persistence remains via CronJobs, DaemonSets, webhook configurations, or additional RBAC bindings. -- Escalate to incident response and platform leadership if the RBAC change included wildcard permissions or escalation verbs, if the workload ran privileged/hostNetwork/hostPID, or if sensitive secrets were accessed or exfiltration is suspected. +- Immediately revoke or roll back the risky Role/ClusterRole changes and remove any new/updated RoleBinding/ClusterRoleBinding that ties the elevated permissions to the triggering user or service account. +- Quarantine the modified Deployment/DaemonSet/CronJob by scaling it to zero or deleting it and cordon/drain affected nodes if pods ran privileged, used hostPath mounts, or executed on many nodes. +- Rotate credentials and access paths exposed through the workload (service account tokens, kubeconfig files, mounted secrets, cloud keys) and invalidate any newly issued tokens tied to the actor. +- For eradication and recovery, redeploy workloads from trusted Git/registry sources, block the suspicious images/digests in admission controls, and verify no persistence remains via CronJobs, DaemonSets, webhook configurations, or additional RBAC bindings. +- Escalate to incident response and platform leadership if the RBAC change included wildcard permissions or escalation verbs, if the workload ran privileged/hostNetwork/hostPID, or if sensitive secrets were accessed or exfiltration is suspected. - Harden by enforcing least-privilege RBAC, requiring peer approval for RBAC changes, restricting workload mutations via GitOps-only service accounts, and using admission policies to deny privileged pods, hostPath mounts, and unapproved registries. """ references = [ diff --git a/rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml b/rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml index cd55cbf87..e1ff2f63e 100644 --- a/rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml +++ b/rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -26,24 +26,24 @@ This rule detects allowed create or patch activity against sensitive Kubernetes ### Possible investigation steps -- Retrieve the full audit event for the change and compare it to the most recent prior modification of the same workload to identify what was altered (e.g., image, command/args, env/secret refs, volumes, serviceAccount, securityContext, hostPath/hostNetwork, privileged settings). -- Attribute the action to a real identity by tracing the Kubernetes user to its backing cloud/IAM identity or kubeconfig/cert and validate whether the access path (SSO, token, service account, CI/CD runner) and source network location are expected for that operator. -- Determine blast radius by listing other recent creates/patches by the same identity and from the same origin across namespaces, and check for follow-on actions such as creating RBAC bindings, secrets, or additional controllers. -- Inspect the affected workload’s rollout status and pod specs to confirm whether new pods were created, then review container images, pull registries, and runtime behavior for indicators of compromise (unexpected network egress, crypto-mining, credential access, or exec activity). +- Retrieve the full audit event for the change and compare it to the most recent prior modification of the same workload to identify what was altered (e.g., image, command/args, env/secret refs, volumes, serviceAccount, securityContext, hostPath/hostNetwork, privileged settings). +- Attribute the action to a real identity by tracing the Kubernetes user to its backing cloud/IAM identity or kubeconfig/cert and validate whether the access path (SSO, token, service account, CI/CD runner) and source network location are expected for that operator. +- Determine blast radius by listing other recent creates/patches by the same identity and from the same origin across namespaces, and check for follow-on actions such as creating RBAC bindings, secrets, or additional controllers. +- Inspect the affected workload’s rollout status and pod specs to confirm whether new pods were created, then review container images, pull registries, and runtime behavior for indicators of compromise (unexpected network egress, crypto-mining, credential access, or exec activity). - Validate the change against an approved deployment workflow by correlating with GitOps/CI commit history and change tickets, and if unapproved, contain by scaling down/rolling back the workload and revoking the credential or token used. ### False positive analysis -- A legitimate on-call engineer performs an emergency `kubectl` create/patch to a Deployment/CronJob/DaemonSet from a new workstation, VPN egress IP, or updated kubectl version, producing an unusual user_agent/source IP/username combination despite being authorized. +- A legitimate on-call engineer performs an emergency `kubectl` create/patch to a Deployment/CronJob/DaemonSet from a new workstation, VPN egress IP, or updated kubectl version, producing an unusual user_agent/source IP/username combination despite being authorized. - A routine automation path changes (e.g., CI runner or service account rotated/migrated to a new node pool or network segment) and continues applying standard workload updates, causing the same create/patch activity to appear anomalous due to the new origin and client identity. ### Response and remediation -- Immediately pause impact by scaling the modified Deployment/CronJob to zero or deleting the new DaemonSet and stopping any active rollout while preserving the altered manifest for evidence. -- Roll back the workload to the last known-good version from GitOps/CI or prior ReplicaSet/Job template, then redeploy only after verifying container images, init containers, commands, serviceAccount, and privileged/host settings match the approved baseline. -- Revoke and rotate the credential used for the change (user token/cert or service account token), invalidate related kubeconfigs, and review/remove any newly created RBAC bindings, secrets, or service accounts tied to the same actor. -- Quarantine affected nodes and pods for analysis by cordoning/draining nodes that ran the new pods and collecting pod logs, container filesystem snapshots, and network egress details to identify payloads and persistence. -- Escalate to the incident response/on-call security team immediately if the change introduced privileged containers, hostPath mounts, hostNetwork, new external images/registries, or any unexpected DaemonSet creation across multiple nodes. +- Immediately pause impact by scaling the modified Deployment/CronJob to zero or deleting the new DaemonSet and stopping any active rollout while preserving the altered manifest for evidence. +- Roll back the workload to the last known-good version from GitOps/CI or prior ReplicaSet/Job template, then redeploy only after verifying container images, init containers, commands, serviceAccount, and privileged/host settings match the approved baseline. +- Revoke and rotate the credential used for the change (user token/cert or service account token), invalidate related kubeconfigs, and review/remove any newly created RBAC bindings, secrets, or service accounts tied to the same actor. +- Quarantine affected nodes and pods for analysis by cordoning/draining nodes that ran the new pods and collecting pod logs, container filesystem snapshots, and network egress details to identify payloads and persistence. +- Escalate to the incident response/on-call security team immediately if the change introduced privileged containers, hostPath mounts, hostNetwork, new external images/registries, or any unexpected DaemonSet creation across multiple nodes. - Harden by enforcing admission controls to restrict privileged settings and sensitive namespaces, requiring changes via approved automation identities, and tightening RBAC so only designated deployment controllers can create/patch DaemonSets, Deployments, and CronJobs. """ references = [ diff --git a/rules/integrations/kubernetes/privilege_escalation_service_account_rbac_write_operation.toml b/rules/integrations/kubernetes/privilege_escalation_service_account_rbac_write_operation.toml index 0314f867e..f869cc079 100644 --- a/rules/integrations/kubernetes/privilege_escalation_service_account_rbac_write_operation.toml +++ b/rules/integrations/kubernetes/privilege_escalation_service_account_rbac_write_operation.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/04" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -35,16 +35,16 @@ This rule detects Kubernetes service accounts performing allowed write actions o ### False positive analysis -- A platform automation running in-cluster (e.g., a controller or CI job using a service account) legitimately applies RBAC manifests during routine deployment, upgrades, or namespace onboarding, resulting in create/patch/update of Roles or RoleBindings. +- A platform automation running in-cluster (e.g., a controller or CI job using a service account) legitimately applies RBAC manifests during routine deployment, upgrades, or namespace onboarding, resulting in create/patch/update of Roles or RoleBindings. - A Kubernetes operator or housekeeping workflow running under a service account intentionally adjusts RBAC as part of maintenance (e.g., rotating access, reconciling drift, or cleaning up obsolete bindings) and triggers allowed delete or update actions on RBAC resources. ### Response and remediation -- Immediately remove or quarantine the offending service account by deleting its RoleBindings/ClusterRoleBindings and restarting or scaling down the owning workload to stop further RBAC writes. -- Revert the unauthorized RBAC object changes by restoring the last known-good Roles/Bindings from GitOps/manifests (or `kubectl rollout undo` where applicable) and verify no new subjects gained wildcard or cluster-admin-equivalent access. -- Rotate credentials by recreating the service account or triggering token re-issuance, deleting any mounted legacy token secrets, and redeploying workloads to ensure old tokens cannot be reused. -- Hunt and eradicate persistence by searching for additional recently modified RBAC objects and newly created service accounts in the same namespaces, then remove unauthorized accounts/bindings and scan the implicated container images for backdoors. -- Escalate to incident response and cluster administrators immediately if any change grants `cluster-admin`, introduces `*` verbs/resources, or binds a service account to privileged ClusterRoles across namespaces. +- Immediately remove or quarantine the offending service account by deleting its RoleBindings/ClusterRoleBindings and restarting or scaling down the owning workload to stop further RBAC writes. +- Revert the unauthorized RBAC object changes by restoring the last known-good Roles/Bindings from GitOps/manifests (or `kubectl rollout undo` where applicable) and verify no new subjects gained wildcard or cluster-admin-equivalent access. +- Rotate credentials by recreating the service account or triggering token re-issuance, deleting any mounted legacy token secrets, and redeploying workloads to ensure old tokens cannot be reused. +- Hunt and eradicate persistence by searching for additional recently modified RBAC objects and newly created service accounts in the same namespaces, then remove unauthorized accounts/bindings and scan the implicated container images for backdoors. +- Escalate to incident response and cluster administrators immediately if any change grants `cluster-admin`, introduces `*` verbs/resources, or binds a service account to privileged ClusterRoles across namespaces. - Harden going forward by enforcing least-privilege RBAC, enabling admission controls to restrict RBAC modifications to approved identities/namespaces, and using short-lived projected service account tokens with workload identity constraints. """ references = [ @@ -110,3 +110,4 @@ reference = "https://attack.mitre.org/techniques/T1098/006/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml b/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml index 6c59087b0..22016d916 100644 --- a/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml +++ b/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/13" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,3 +107,4 @@ reference = "https://attack.mitre.org/techniques/T1078/001/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml index a2e6b2e13..d7e8c4ec4 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] anomaly_threshold = 70 @@ -95,14 +95,23 @@ Remote Desktop Protocol (RDP) facilitates remote access to systems, often target - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been compromised.""" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml index db8f0b280..c4a9de77a 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] anomaly_threshold = 70 @@ -96,14 +96,23 @@ Remote Desktop Protocol (RDP) enables remote access to systems, facilitating adm - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation.""" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml b/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml index b4d4e4a8f..8b4708007 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] anomaly_threshold = 70 @@ -96,14 +96,31 @@ Machine learning models in security environments analyze file transfer patterns - Enhance monitoring and logging for unusual file transfer activities and remote access attempts to improve early detection of similar threats in the future.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1039" +name = "Data from Network Shared Drive" +reference = "https://attack.mitre.org/techniques/T1039/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml b/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml index bc0292876..28673a7b2 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] anomaly_threshold = 70 @@ -96,14 +96,23 @@ Remote Desktop Protocol (RDP) enables remote access to systems, facilitating leg - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml index 04f5ad445..ea82363e1 100644 --- a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml +++ b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] anomaly_threshold = 70 @@ -96,14 +96,18 @@ The 'Unusual Remote File Directory' detection leverages machine learning to iden - Update detection mechanisms and rules to enhance monitoring of less common directories and improve the detection of similar threats in the future.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml index 8cc42195a..60be1f2cb 100644 --- a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml +++ b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] anomaly_threshold = 70 @@ -95,14 +95,18 @@ The detection of unusual remote file extensions leverages machine learning to id - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml index 027b7598a..53517117a 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] anomaly_threshold = 70 @@ -96,14 +96,23 @@ Remote Desktop Protocol (RDP) is a common tool for remote management, but advers - Update and enhance monitoring rules to detect similar patterns of unusual RDP connection spikes, ensuring early detection of future attempts.""" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml index e511ab602..fb2dd4c72 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] anomaly_threshold = 70 @@ -95,14 +95,23 @@ Remote Desktop Protocol (RDP) is crucial for remote management and troubleshooti - Update and enhance monitoring rules to detect similar patterns of unusual RDP connection spikes in the future, ensuring quick identification and response to potential threats.""" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml index d5bcf1bf4..c39a26c35 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] anomaly_threshold = 70 @@ -94,14 +94,23 @@ Remote Desktop Protocol (RDP) allows users to connect to other computers over a - Enhance monitoring and detection capabilities for RDP sessions by implementing stricter access controls and logging to detect similar anomalies in the future.""" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml index d66e8ddd4..a06650355 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] anomaly_threshold = 70 @@ -97,14 +97,18 @@ Remote file transfer technologies facilitate data sharing across networks, essen - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts are undertaken.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml b/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml index be5de02f9..c989b30fd 100644 --- a/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml +++ b/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] anomaly_threshold = 70 @@ -96,14 +96,23 @@ Remote Desktop Protocol (RDP) enables remote access to systems, crucial for IT m - Implement enhanced monitoring on the affected system and related network segments to detect any further suspicious activities or attempts at unauthorized access.""" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/o365/collection_exchange_mailbox_access_by_unusual_client_app_id.toml b/rules/integrations/o365/collection_exchange_mailbox_access_by_unusual_client_app_id.toml index 1ad36ca53..3b6bdd9ca 100644 --- a/rules/integrations/o365/collection_exchange_mailbox_access_by_unusual_client_app_id.toml +++ b/rules/integrations/o365/collection_exchange_mailbox_access_by_unusual_client_app_id.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/18" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -169,17 +169,17 @@ event.dataset: "o365.audit" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" + [[rule.threat.technique.subtechnique]] id = "T1114.002" name = "Remote Email Collection" reference = "https://attack.mitre.org/techniques/T1114/002/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" diff --git a/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml b/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml index e79eaca74..4dda806d2 100644 --- a/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml +++ b/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/19" integration = ["o365"] maturity = "production" -updated_date = "2026/02/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -150,6 +150,16 @@ reference = "https://attack.mitre.org/tactics/TA0009/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1020" +name = "Automated Exfiltration" +reference = "https://attack.mitre.org/techniques/T1020/" + +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" diff --git a/rules/integrations/o365/collection_sharepoint_file_download_via_powershell.toml b/rules/integrations/o365/collection_sharepoint_file_download_via_powershell.toml index 89da65e6e..963c73a24 100644 --- a/rules/integrations/o365/collection_sharepoint_file_download_via_powershell.toml +++ b/rules/integrations/o365/collection_sharepoint_file_download_via_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/24" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/30" [rule] author = ["Elastic"] @@ -86,26 +86,27 @@ event.dataset: "o365.audit" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1213" name = "Data from Information Repositories" reference = "https://attack.mitre.org/techniques/T1213/" + [[rule.threat.technique.subtechnique]] id = "T1213.002" name = "Sharepoint" reference = "https://attack.mitre.org/techniques/T1213/002/" - [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -114,6 +115,24 @@ id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml b/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml index bcad5515b..7f28c7920 100644 --- a/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml +++ b/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -58,6 +58,7 @@ tags = [ "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Resources: Investigation Guide", + ] timestamp_override = "event.ingested" type = "eql" @@ -75,48 +76,49 @@ sequence by related.user with maxspan=30m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.005" name = "Device Registration" reference = "https://attack.mitre.org/techniques/T1098/005/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/integrations/o365/credential_access_identity_user_account_lockouts.toml b/rules/integrations/o365/credential_access_identity_user_account_lockouts.toml index d9d60e521..0f2f0e732 100644 --- a/rules/integrations/o365/credential_access_identity_user_account_lockouts.toml +++ b/rules/integrations/o365/credential_access_identity_user_account_lockouts.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/10" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -68,6 +68,7 @@ tags = [ "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Resources: Investigation Guide", + ] timestamp_override = "event.ingested" type = "esql" @@ -153,3 +154,19 @@ id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml b/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml index 692780a64..f6a7afa5e 100644 --- a/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml +++ b/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/01" integration = ["o365"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -188,48 +188,59 @@ from logs-o365.audit-* [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/integrations/o365/defense_evasion_exchange_anti_phish_policy_deletion.toml b/rules/integrations/o365/defense_evasion_exchange_anti_phish_policy_deletion.toml index c1cad5d40..dbdd60ecb 100644 --- a/rules/integrations/o365/defense_evasion_exchange_anti_phish_policy_deletion.toml +++ b/rules/integrations/o365/defense_evasion_exchange_anti_phish_policy_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,18 +85,23 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/o365/defense_evasion_exchange_dkim_signing_config_disabled.toml b/rules/integrations/o365/defense_evasion_exchange_dkim_signing_config_disabled.toml index 07af6dc66..004e5b760 100644 --- a/rules/integrations/o365/defense_evasion_exchange_dkim_signing_config_disabled.toml +++ b/rules/integrations/o365/defense_evasion_exchange_dkim_signing_config_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,18 +78,23 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml b/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml index 8574d32b9..110b2b65d 100644 --- a/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml +++ b/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -updated_date = "2026/02/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,11 +80,16 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/integrations/o365/defense_evasion_exchange_exchange_safelinks_disabled.toml b/rules/integrations/o365/defense_evasion_exchange_exchange_safelinks_disabled.toml index 2291a229f..ec6089b3a 100644 --- a/rules/integrations/o365/defense_evasion_exchange_exchange_safelinks_disabled.toml +++ b/rules/integrations/o365/defense_evasion_exchange_exchange_safelinks_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,18 +83,23 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml b/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml index 1a63debc0..be7927c5f 100644 --- a/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml +++ b/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/13" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -75,23 +75,31 @@ event.dataset:o365.audit and event.provider:Exchange and event.action:Set-Mailbo [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" -[[rule.threat.technique.subtechnique]] -id = "T1562.008" -name = "Disable or Modify Cloud Logs" -reference = "https://attack.mitre.org/techniques/T1562/008/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml b/rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml index 9b65cad71..c42fdc662 100644 --- a/rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml +++ b/rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,14 +84,18 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml b/rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml index aeb5c1578..c8313e379 100644 --- a/rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml +++ b/rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,14 +83,23 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/o365/defense_evasion_exchange_new_inbox_rule_delete_or_move.toml b/rules/integrations/o365/defense_evasion_exchange_new_inbox_rule_delete_or_move.toml index 146cb01f0..b902db463 100644 --- a/rules/integrations/o365/defense_evasion_exchange_new_inbox_rule_delete_or_move.toml +++ b/rules/integrations/o365/defense_evasion_exchange_new_inbox_rule_delete_or_move.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/22" integration = ["o365"] maturity = "production" -updated_date = "2026/01/29" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Jamie Lee", "Marco Pedrinazzi"] @@ -119,22 +119,39 @@ event.dataset: "o365.audit" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" + [[rule.threat.technique.subtechnique]] id = "T1564.008" name = "Email Hiding Rules" reference = "https://attack.mitre.org/techniques/T1564/008/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1137" +name = "Office Application Startup" +reference = "https://attack.mitre.org/techniques/T1137/" + +[[rule.threat.technique.subtechnique]] +id = "T1137.005" +name = "Outlook Rules" +reference = "https://attack.mitre.org/techniques/T1137/005/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["user.id", "source.ip"] diff --git a/rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml b/rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml index 42f4af5cf..36613ec06 100644 --- a/rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml +++ b/rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,14 +83,18 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/o365/defense_evasion_mfa_notification_email_deleted.toml b/rules/integrations/o365/defense_evasion_mfa_notification_email_deleted.toml index 60c6d1046..a059221e9 100644 --- a/rules/integrations/o365/defense_evasion_mfa_notification_email_deleted.toml +++ b/rules/integrations/o365/defense_evasion_mfa_notification_email_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/25" integration = ["o365"] maturity = "production" -updated_date = "2026/02/25" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,17 +106,36 @@ web where event.dataset == "o365.audit" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" + [[rule.threat.technique.subtechnique]] id = "T1070.008" name = "Clear Mailbox Data" reference = "https://attack.mitre.org/techniques/T1070/008/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.005" +name = "Device Registration" +reference = "https://attack.mitre.org/techniques/T1098/005/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/o365/defense_evasion_sharepoint_sharing_policy_weakened.toml b/rules/integrations/o365/defense_evasion_sharepoint_sharing_policy_weakened.toml index 7b81c5b2b..8d5e9e22b 100644 --- a/rules/integrations/o365/defense_evasion_sharepoint_sharing_policy_weakened.toml +++ b/rules/integrations/o365/defense_evasion_sharepoint_sharing_policy_weakened.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/27" integration = ["o365"] maturity = "production" -updated_date = "2026/02/27" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -107,10 +107,17 @@ event.dataset: "o365.audit" and event.provider: ("SharePoint" or "OneDrive") and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" @@ -120,4 +127,3 @@ reference = "https://attack.mitre.org/techniques/T1562/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/o365/defense_evasion_teams_custom_app_interaction_allowed.toml b/rules/integrations/o365/defense_evasion_teams_custom_app_interaction_allowed.toml index 98575d907..9353dbcbe 100644 --- a/rules/integrations/o365/defense_evasion_teams_custom_app_interaction_allowed.toml +++ b/rules/integrations/o365/defense_evasion_teams_custom_app_interaction_allowed.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,14 +80,18 @@ o365.audit.NewValue:True and event.outcome:success [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/o365/defense_evasion_teams_external_access_enabled.toml b/rules/integrations/o365/defense_evasion_teams_external_access_enabled.toml index a83611522..570299d5b 100644 --- a/rules/integrations/o365/defense_evasion_teams_external_access_enabled.toml +++ b/rules/integrations/o365/defense_evasion_teams_external_access_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,14 +78,18 @@ o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml b/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml index cc943708b..b236dee5b 100644 --- a/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml +++ b/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,14 +78,31 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1537" name = "Transfer Data to Cloud Account" reference = "https://attack.mitre.org/techniques/T1537/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1114" +name = "Email Collection" +reference = "https://attack.mitre.org/techniques/T1114/" + +[[rule.threat.technique.subtechnique]] +id = "T1114.003" +name = "Email Forwarding Rule" +reference = "https://attack.mitre.org/techniques/T1114/003/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml b/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml index ed1b40e87..8ab9e702e 100644 --- a/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml +++ b/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -79,14 +79,31 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1537" name = "Transfer Data to Cloud Account" reference = "https://attack.mitre.org/techniques/T1537/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/o365/impact_security_compliance_potential_ransomware_activity.toml b/rules/integrations/o365/impact_security_compliance_potential_ransomware_activity.toml index 2a6f4711e..3cd8b3f6c 100644 --- a/rules/integrations/o365/impact_security_compliance_potential_ransomware_activity.toml +++ b/rules/integrations/o365/impact_security_compliance_potential_ransomware_activity.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "production" -updated_date = "2026/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -86,14 +86,23 @@ event.dataset:o365.audit and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1486" name = "Data Encrypted for Impact" reference = "https://attack.mitre.org/techniques/T1486/" +[[rule.threat.technique]] +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" + +[[rule.threat.technique.subtechnique]] +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/integrations/o365/initial_access_entra_id_portal_login_impossible_travel.toml b/rules/integrations/o365/initial_access_entra_id_portal_login_impossible_travel.toml index f38c9c8e7..10b2649fc 100644 --- a/rules/integrations/o365/initial_access_entra_id_portal_login_impossible_travel.toml +++ b/rules/integrations/o365/initial_access_entra_id_portal_login_impossible_travel.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/04" integration = ["o365"] maturity = "production" -updated_date = "2025/10/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -93,17 +93,17 @@ event.dataset:o365.audit and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" diff --git a/rules/integrations/o365/initial_access_identity_illicit_consent_grant_via_registered_application.toml b/rules/integrations/o365/initial_access_identity_illicit_consent_grant_via_registered_application.toml index 509957588..a593f424e 100644 --- a/rules/integrations/o365/initial_access_identity_illicit_consent_grant_via_registered_application.toml +++ b/rules/integrations/o365/initial_access_identity_illicit_consent_grant_via_registered_application.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/24" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,34 +102,47 @@ event.dataset: "o365.audit" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/o365/initial_access_identity_oauth_phishing_via_first_party_microsoft_application.toml b/rules/integrations/o365/initial_access_identity_oauth_phishing_via_first_party_microsoft_application.toml index f97a3f4fe..72c07c330 100644 --- a/rules/integrations/o365/initial_access_identity_oauth_phishing_via_first_party_microsoft_application.toml +++ b/rules/integrations/o365/initial_access_identity_oauth_phishing_via_first_party_microsoft_application.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/23" integration = ["o365"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -141,29 +141,46 @@ event.dataset: "o365.audit" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/o365/initial_access_identity_unusual_sso_errors_for_user.toml b/rules/integrations/o365/initial_access_identity_unusual_sso_errors_for_user.toml index bf11a1e50..f448ef4d4 100644 --- a/rules/integrations/o365/initial_access_identity_unusual_sso_errors_for_user.toml +++ b/rules/integrations/o365/initial_access_identity_unusual_sso_errors_for_user.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -updated_date = "2026/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -103,27 +103,49 @@ event.dataset:o365.audit [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + +[[rule.threat.technique]] +id = "T1606" +name = "Forge Web Credentials" +reference = "https://attack.mitre.org/techniques/T1606/" + +[[rule.threat.technique.subtechnique]] +id = "T1606.002" +name = "SAML Tokens" +reference = "https://attack.mitre.org/techniques/T1606/002/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" [rule.new_terms] field = "new_terms_fields" value = ["o365.audit.UserId", "o365.audit.ErrorNumber"] diff --git a/rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml b/rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml index 1768e604e..6a188c194 100644 --- a/rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml +++ b/rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/06" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,19 +87,36 @@ event.dataset:o365.audit [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/o365/persistence_exchange_management_role_assignment.toml b/rules/integrations/o365/persistence_exchange_management_role_assignment.toml index 3618f364e..bb5accb60 100644 --- a/rules/integrations/o365/persistence_exchange_management_role_assignment.toml +++ b/rules/integrations/o365/persistence_exchange_management_role_assignment.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,18 +84,36 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml index 71b93df4c..268f01b50 100644 --- a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml +++ b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -116,22 +116,39 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.002" name = "Additional Email Delegate Permissions" reference = "https://attack.mitre.org/techniques/T1098/002/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.002" +name = "Additional Email Delegate Permissions" +reference = "https://attack.mitre.org/techniques/T1098/002/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["o365.audit.UserId"] diff --git a/rules/integrations/o365/persistence_teams_guest_access_enabled.toml b/rules/integrations/o365/persistence_teams_guest_access_enabled.toml index ef65532a6..7e3c706e1 100644 --- a/rules/integrations/o365/persistence_teams_guest_access_enabled.toml +++ b/rules/integrations/o365/persistence_teams_guest_access_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,14 +78,26 @@ o365.audit.Parameters.AllowGuestUser:True and event.outcome:success [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml b/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml index 6b821fb7b..51e1c706f 100644 --- a/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml +++ b/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Austin Songer"] @@ -83,19 +83,36 @@ event.outcome:success [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique.subtechnique]] id = "T1484.002" name = "Trust Modification" reference = "https://attack.mitre.org/techniques/T1484/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[[rule.threat.technique.subtechnique]] +id = "T1484.002" +name = "Trust Modification" +reference = "https://attack.mitre.org/techniques/T1484/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml index a7c2689ef..39689dd40 100644 --- a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml +++ b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,12 +81,12 @@ event.dataset:okta.system and event.action:user.mfa.attempt_bypass [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1111" name = "Multi-Factor Authentication Interception" reference = "https://attack.mitre.org/techniques/T1111/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml index 0c7a8ec86..e7ef9688e 100644 --- a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml +++ b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] @@ -79,17 +79,26 @@ event.dataset:okta.system and event.action:user.account.lock [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.001" +name = "Password Guessing" +reference = "https://attack.mitre.org/techniques/T1110/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [rule.threshold] field = ["okta.actor.alternate_id"] value = 3 diff --git a/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml b/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml index 032c715eb..9480d1709 100644 --- a/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml +++ b/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/10" integration = ["okta"] maturity = "production" -updated_date = "2025/09/08" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,32 +92,44 @@ event.dataset:okta.system [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" + [[rule.threat.technique.subtechnique]] id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" - -[[rule.threat.technique]] -id = "T1110" -name = "Brute Force" -reference = "https://attack.mitre.org/techniques/T1110/" [[rule.threat.technique.subtechnique]] id = "T1110.004" name = "Credential Stuffing" reference = "https://attack.mitre.org/techniques/T1110/004/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.threshold] field = ["okta.debug_context.debug_data.dt_hash"] value = 1 diff --git a/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml b/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml index 03486d8b6..46a0131cc 100644 --- a/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml +++ b/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/08" integration = ["okta"] maturity = "production" -updated_date = "2025/09/25" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,14 +107,31 @@ from logs-okta* [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1539" name = "Steal Web Session Cookie" reference = "https://attack.mitre.org/techniques/T1539/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.004" +name = "Web Session Cookie" +reference = "https://attack.mitre.org/techniques/T1550/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml b/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml index 208243ef9..a71ae74e7 100644 --- a/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml +++ b/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/22" integration = ["okta"] maturity = "production" -updated_date = "2025/10/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -79,12 +79,12 @@ data_stream.dataset: "okta.system" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1539" name = "Steal Web Session Cookie" reference = "https://attack.mitre.org/techniques/T1539/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/integrations/okta/credential_access_okta_aitm_session_cookie_replay.toml b/rules/integrations/okta/credential_access_okta_aitm_session_cookie_replay.toml index 463bd891f..52bd075b2 100644 --- a/rules/integrations/okta/credential_access_okta_aitm_session_cookie_replay.toml +++ b/rules/integrations/okta/credential_access_okta_aitm_session_cookie_replay.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/26" integration = ["okta"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,6 +89,7 @@ tags = [ "Tactic: Credential Access", "Tactic: Lateral Movement", "Resources: Investigation Guide", + ] timestamp_override = "event.ingested" type = "esql" @@ -159,29 +160,31 @@ FROM logs-okta.system-* [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1539" name = "Steal Web Session Cookie" reference = "https://attack.mitre.org/techniques/T1539/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.004" name = "Web Session Cookie" reference = "https://attack.mitre.org/techniques/T1550/004/" [rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml index a27b743a2..223874210 100644 --- a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml +++ b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/17" integration = ["okta"] maturity = "production" -updated_date = "2025/09/25" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -113,29 +113,23 @@ from logs-okta* [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" + [[rule.threat.technique.subtechnique]] id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" - -[[rule.threat.technique]] -id = "T1110" -name = "Brute Force" -reference = "https://attack.mitre.org/techniques/T1110/" [[rule.threat.technique.subtechnique]] id = "T1110.004" name = "Credential Stuffing" reference = "https://attack.mitre.org/techniques/T1110/004/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/integrations/okta/credential_access_okta_brute_force_device_token_rotation.toml b/rules/integrations/okta/credential_access_okta_brute_force_device_token_rotation.toml index 72b54d820..c44cebb4c 100644 --- a/rules/integrations/okta/credential_access_okta_brute_force_device_token_rotation.toml +++ b/rules/integrations/okta/credential_access_okta_brute_force_device_token_rotation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/17" integration = ["okta"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,14 +122,18 @@ FROM logs-okta.system-* METADATA _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.001" +name = "Password Guessing" +reference = "https://attack.mitre.org/techniques/T1110/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml b/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml index 81619833e..dcb805b61 100644 --- a/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml +++ b/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/18" integration = ["okta"] maturity = "production" -updated_date = "2025/09/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,14 +100,31 @@ sequence by okta.actor.id with maxspan=10m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1621" name = "Multi-Factor Authentication Request Generation" reference = "https://attack.mitre.org/techniques/T1621/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml b/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml index ad755fa3b..e9241ff30 100644 --- a/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml +++ b/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/05" integration = ["okta"] maturity = "production" -updated_date = "2025/09/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,14 +102,31 @@ sequence by okta.actor.id with maxspan=10m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1621" name = "Multi-Factor Authentication Request Generation" reference = "https://attack.mitre.org/techniques/T1621/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/okta/credential_access_user_impersonation_access.toml b/rules/integrations/okta/credential_access_user_impersonation_access.toml index eef4992bb..ac2b3ea1a 100644 --- a/rules/integrations/okta/credential_access_user_impersonation_access.toml +++ b/rules/integrations/okta/credential_access_user_impersonation_access.toml @@ -2,7 +2,7 @@ creation_date = "2022/03/22" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,3 +80,20 @@ id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml index 5291da129..752ebc8c2 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,19 +81,28 @@ event.dataset:okta.system and event.action:zone.deactivate [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[[rule.threat.technique.subtechnique]] +id = "T1484.002" +name = "Trust Modification" +reference = "https://attack.mitre.org/techniques/T1484/002/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml b/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml index c2ae0981e..952fb62b7 100644 --- a/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml +++ b/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/11" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -88,22 +88,31 @@ event.dataset: okta.system [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.new_terms] field = "new_terms_fields" value = ["okta.actor.display_name"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml index afb56b6df..b1071d0eb 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -88,19 +88,28 @@ event.dataset:okta.system and event.action:policy.lifecycle.deactivate [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml index 497da81d4..a62d5f3a5 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,19 +87,23 @@ event.dataset:okta.system and event.action:policy.rule.deactivate [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml index d15fdf579..b255db542 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/28" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -88,19 +88,46 @@ event.dataset:okta.system and event.action:policy.lifecycle.delete [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml index 5b253b86d..b11ae8c91 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,19 +87,23 @@ event.dataset:okta.system and event.action:policy.rule.delete [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml index 2811f0d54..4c429ca0f 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,19 +87,23 @@ event.dataset:okta.system and event.action:(zone.update or network_zone.rule.dis [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml index 2be46aca1..e2e4e61c6 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -76,19 +76,28 @@ event.dataset:okta.system and event.action:policy.lifecycle.update [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml index b163bbcf4..72e4c5ff1 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,19 +85,23 @@ event.dataset:okta.system and event.action:policy.rule.update [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml index 8c9739a98..3dba3d705 100644 --- a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml +++ b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] @@ -82,41 +82,57 @@ event.dataset:okta.system and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [rule.threshold] field = ["okta.actor.alternate_id"] value = 5 diff --git a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml index 121e67e54..ce1e17c9c 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,14 +78,13 @@ event.dataset:okta.system and event.action:application.lifecycle.deactivate [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1489" name = "Service Stop" reference = "https://attack.mitre.org/techniques/T1489/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml index ade1997e4..e99fc028b 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,14 +84,13 @@ event.dataset:okta.system and event.action:application.lifecycle.delete [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1489" name = "Service Stop" reference = "https://attack.mitre.org/techniques/T1489/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml index 79b6707bf..3d7fbd734 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -90,4 +90,3 @@ framework = "MITRE ATT&CK" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/integrations/okta/impact_possible_okta_dos_attack.toml b/rules/integrations/okta/impact_possible_okta_dos_attack.toml index 52c88d548..91960faaa 100644 --- a/rules/integrations/okta/impact_possible_okta_dos_attack.toml +++ b/rules/integrations/okta/impact_possible_okta_dos_attack.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,6 +78,7 @@ event.dataset:okta.system and event.action:(application.integration.rate_limit_e [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1498" name = "Network Denial of Service" @@ -88,9 +89,17 @@ id = "T1499" name = "Endpoint Denial of Service" reference = "https://attack.mitre.org/techniques/T1499/" +[[rule.threat.technique.subtechnique]] +id = "T1499.002" +name = "Service Exhaustion Flood" +reference = "https://attack.mitre.org/techniques/T1499/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1499.003" +name = "Application Exhaustion Flood" +reference = "https://attack.mitre.org/techniques/T1499/003/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml b/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml index 10d46662b..9c026e9aa 100644 --- a/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml +++ b/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -75,12 +75,22 @@ event.dataset:okta.system and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1133" name = "External Remote Services" reference = "https://attack.mitre.org/techniques/T1133/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" diff --git a/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml b/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml index 286487e6a..80b6b71f2 100644 --- a/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml +++ b/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/07" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Austin Songer"] @@ -82,14 +82,18 @@ event.dataset:okta.system and event.category:authentication and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml index d157ea468..701332ba9 100644 --- a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml +++ b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/14" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -65,6 +65,7 @@ tags = [ "Use Case: Identity and Access Audit", "Data Source: Okta", "Resources: Investigation Guide", + ] timestamp_override = "event.ingested" type = "query" @@ -76,23 +77,22 @@ event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -100,6 +100,7 @@ framework = "MITRE ATT&CK" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -107,4 +108,3 @@ framework = "MITRE ATT&CK" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml b/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml index 3980b66a6..8589d5de2 100644 --- a/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml +++ b/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/06" integration = ["okta"] maturity = "production" -updated_date = "2026/01/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -74,6 +74,7 @@ tags = [ "Tactic: Initial Access", "Data Source: Okta", "Resources: Investigation Guide", + ] timestamp_override = "event.ingested" type = "new_terms" @@ -111,14 +112,31 @@ value = "now-5d" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1199" name = "Trusted Relationship" reference = "https://attack.mitre.org/techniques/T1199/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml b/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml index 2a87b962d..b44a3a4bf 100644 --- a/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml +++ b/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml @@ -2,7 +2,7 @@ creation_date = "2024/10/07" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,11 +78,16 @@ event.dataset: "okta.system" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0001" diff --git a/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml b/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml index fdf12c3e9..25a9fa908 100644 --- a/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml +++ b/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,17 +87,17 @@ event.dataset:okta.system [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.004" name = "Web Session Cookie" reference = "https://attack.mitre.org/techniques/T1550/004/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml index 859394bc1..2d50aeeea 100644 --- a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml +++ b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,14 +86,31 @@ event.dataset:okta.system and event.action:group.privilege.grant [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml index 4e3bb956c..ae9abcc15 100644 --- a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml +++ b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2026/02/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,14 +92,36 @@ event.dataset:okta.system [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml index 3d49244c9..110fba316 100644 --- a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml +++ b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,14 +85,23 @@ event.dataset:okta.system and event.action:system.api_token.create [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml index 399af2398..7b826d1c1 100644 --- a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml +++ b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,14 +86,31 @@ event.dataset:okta.system and event.action:user.mfa.factor.reset_all [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml b/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml index 3f356b7f3..04ca3459a 100644 --- a/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml +++ b/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/20" integration = ["okta"] maturity = "production" -updated_date = "2025/09/08" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,19 +85,36 @@ sequence by okta.target.id with maxspan=12h [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [[rule.threat.technique.subtechnique]] id = "T1556.006" name = "Multi-Factor Authentication" reference = "https://attack.mitre.org/techniques/T1556/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml b/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml index ec410cc91..96b1ea065 100644 --- a/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml +++ b/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/06" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -76,19 +76,46 @@ event.dataset: "okta.system" and event.action: "system.idp.lifecycle.create" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [[rule.threat.technique.subtechnique]] id = "T1556.007" name = "Hybrid Identity" reference = "https://attack.mitre.org/techniques/T1556/007/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[[rule.threat.technique.subtechnique]] +id = "T1484.002" +name = "Trust Modification" +reference = "https://attack.mitre.org/techniques/T1484/002/" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.007" +name = "Hybrid Identity" +reference = "https://attack.mitre.org/techniques/T1556/007/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml index b85da21ef..c9f052895 100644 --- a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml +++ b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/01" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,14 +86,36 @@ event.dataset:okta.system and event.action:(application.policy.sign_on.update or [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.009" +name = "Conditional Access Policies" +reference = "https://attack.mitre.org/techniques/T1556/009/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.009" +name = "Conditional Access Policies" +reference = "https://attack.mitre.org/techniques/T1556/009/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml b/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml index 95c5b7cbd..8fe48c524 100644 --- a/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "sysmon_linux"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -89,14 +89,18 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml b/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml index cea8bce82..edb900374 100644 --- a/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "sysmon_linux"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -90,14 +90,26 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml b/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml index c25efcf12..9a2e72774 100644 --- a/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "sysmon_linux"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -88,14 +88,18 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml index 225018502..7b479bfd9 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -89,6 +89,7 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -99,9 +100,20 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml index 1387bf227..e2754c6f0 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -89,14 +89,36 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml index f79d485a9..eddc6f5cc 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -89,14 +89,31 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml index 938ae0eef..956843017 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -88,14 +88,31 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml index f84ac248b..5d92fbdb9 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -88,6 +88,7 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -103,9 +104,20 @@ id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml index 14c6f23bd..e1575db67 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -88,6 +88,7 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -98,9 +99,35 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml index abd5652b0..1a67cb5a8 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -88,6 +88,7 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -98,9 +99,25 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml index 51b64715d..6861aead8 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -88,6 +88,7 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -103,9 +104,20 @@ id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml index 6a80f4a7b..e394e67f9 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -87,6 +87,7 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -97,9 +98,25 @@ id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml index bf61284ea..b3949f019 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -90,6 +90,7 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -100,9 +101,30 @@ id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml index d287e6828..78f44f6aa 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -87,6 +87,7 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -97,9 +98,12 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.002" +name = "Domain Accounts" +reference = "https://attack.mitre.org/techniques/T1078/002/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml index 581372213..847040157 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -89,6 +89,7 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -99,9 +100,25 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1134" +name = "Access Token Manipulation" +reference = "https://attack.mitre.org/techniques/T1134/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1134" +name = "Access Token Manipulation" +reference = "https://attack.mitre.org/techniques/T1134/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml index ece76dfc0..655cc4258 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -89,6 +89,7 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -99,9 +100,30 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique]] +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml index 3ddc61961..8651e7f6c 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -89,14 +89,26 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml index afb390d22..539df8411 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -91,6 +91,7 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -101,21 +102,48 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml index f7407fd16..c8216dd03 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -89,6 +89,7 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -99,9 +100,25 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml index c3078e43d..697850d93 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -89,14 +89,26 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml index e62fe19f6..af481beaf 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -88,14 +88,26 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml index abb8bb47e..f0e3a9b3e 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -94,14 +94,18 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml index 513d1a8b8..182abe9bb 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -94,14 +94,18 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml index 22b4da659..9e43cb9de 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -93,14 +93,18 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml index 7b94ae3ca..1d01817a6 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -95,14 +95,18 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml index a5b82dcbb..9202b9bc1 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -95,14 +95,18 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml b/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml index 2bbc37b2c..543cda806 100644 --- a/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml +++ b/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/21" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,11 +94,15 @@ id = "T1102" name = "Web Service" reference = "https://attack.mitre.org/techniques/T1102/" +[[rule.threat.technique.subtechnique]] +id = "T1102.002" +name = "Bidirectional Communication" +reference = "https://attack.mitre.org/techniques/T1102/002/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id"] diff --git a/rules/linux/command_and_control_cat_network_activity.toml b/rules/linux/command_and_control_cat_network_activity.toml index cab972324..595b48de8 100644 --- a/rules/linux/command_and_control_cat_network_activity.toml +++ b/rules/linux/command_and_control_cat_network_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/16" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -156,6 +156,11 @@ sequence by host.id, process.entity_id with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" @@ -172,6 +177,11 @@ reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" diff --git a/rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml b/rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml index 5356874e6..934e37b25 100644 --- a/rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml +++ b/rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -127,6 +127,16 @@ reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" diff --git a/rules/linux/command_and_control_curl_socks_proxy_detected.toml b/rules/linux/command_and_control_curl_socks_proxy_detected.toml index cfdde4aab..f9a315aeb 100644 --- a/rules/linux/command_and_control_curl_socks_proxy_detected.toml +++ b/rules/linux/command_and_control_curl_socks_proxy_detected.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -124,6 +124,16 @@ Curl is a versatile command-line tool used for transferring data with URLs, ofte [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + +[[rule.threat.technique.subtechnique]] +id = "T1090.002" +name = "External Proxy" +reference = "https://attack.mitre.org/techniques/T1090/002/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml b/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml index 64968e762..a874dbd67 100644 --- a/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml +++ b/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/20" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -174,3 +174,21 @@ reference = "https://attack.mitre.org/techniques/T1071/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" + +[[rule.threat.technique.subtechnique]] +id = "T1564.001" +name = "Hidden Files and Directories" +reference = "https://attack.mitre.org/techniques/T1564/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml b/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml index 8e5b77e39..2f8b7c39e 100644 --- a/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml +++ b/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -121,6 +121,16 @@ id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/command_and_control_ip_forwarding_activity.toml b/rules/linux/command_and_control_ip_forwarding_activity.toml index f810448aa..50818104f 100644 --- a/rules/linux/command_and_control_ip_forwarding_activity.toml +++ b/rules/linux/command_and_control_ip_forwarding_activity.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,6 +92,16 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + +[[rule.threat.technique.subtechnique]] +id = "T1090.001" +name = "Internal Proxy" +reference = "https://attack.mitre.org/techniques/T1090/001/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/linux/command_and_control_linux_chisel_client_activity.toml b/rules/linux/command_and_control_linux_chisel_client_activity.toml index 2f6eb95ac..9cda5267d 100644 --- a/rules/linux/command_and_control_linux_chisel_client_activity.toml +++ b/rules/linux/command_and_control_linux_chisel_client_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -163,6 +163,11 @@ sequence by host.id, process.entity_id with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/linux/command_and_control_linux_kworker_netcon.toml b/rules/linux/command_and_control_linux_kworker_netcon.toml index acd204dae..2895259e8 100644 --- a/rules/linux/command_and_control_linux_kworker_netcon.toml +++ b/rules/linux/command_and_control_linux_kworker_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -128,6 +128,11 @@ id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.004" +name = "Masquerade Task or Service" +reference = "https://attack.mitre.org/techniques/T1036/004/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" @@ -145,7 +150,6 @@ reference = "https://attack.mitre.org/techniques/T1041/" id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - [rule.new_terms] field = "new_terms_fields" value = ["process.name", "host.id"] diff --git a/rules/linux/command_and_control_linux_proxychains_activity.toml b/rules/linux/command_and_control_linux_proxychains_activity.toml index c86530e35..409f98fe8 100644 --- a/rules/linux/command_and_control_linux_proxychains_activity.toml +++ b/rules/linux/command_and_control_linux_proxychains_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -139,6 +139,16 @@ process.name == "proxychains" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + +[[rule.threat.technique.subtechnique]] +id = "T1090.003" +name = "Multi-hop Proxy" +reference = "https://attack.mitre.org/techniques/T1090/003/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml b/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml index b4d383c26..8cc7c5858 100644 --- a/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml +++ b/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -134,14 +134,31 @@ process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml index 6af65daf2..12dfb33d1 100644 --- a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml +++ b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -169,6 +169,16 @@ process.name == "proxychains" and process.args : ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + +[[rule.threat.technique.subtechnique]] +id = "T1090.003" +name = "Multi-hop Proxy" +reference = "https://attack.mitre.org/techniques/T1090/003/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml index a32949a86..a7e717aad 100644 --- a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml +++ b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -193,6 +193,16 @@ process where host.os.type == "linux" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/linux/command_and_control_linux_tunneling_via_ssh_option.toml b/rules/linux/command_and_control_linux_tunneling_via_ssh_option.toml index 971d4da2b..7125dd7bc 100644 --- a/rules/linux/command_and_control_linux_tunneling_via_ssh_option.toml +++ b/rules/linux/command_and_control_linux_tunneling_via_ssh_option.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/25" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -118,6 +118,11 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/linux/command_and_control_potential_tunneling_command_line.toml b/rules/linux/command_and_control_potential_tunneling_command_line.toml index f0209e6a6..075f98f32 100644 --- a/rules/linux/command_and_control_potential_tunneling_command_line.toml +++ b/rules/linux/command_and_control_potential_tunneling_command_line.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/12" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/12" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -170,6 +170,11 @@ process.command_line regex """.*[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}:[ [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml index a89abcbc9..a50b57151 100644 --- a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml +++ b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -219,6 +219,33 @@ id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique.subtechnique]] +id = "T1037.004" +name = "RC Scripts" +reference = "https://attack.mitre.org/techniques/T1037/004/" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.003" +name = "Cron" +reference = "https://attack.mitre.org/techniques/T1053/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/linux/command_and_control_telegram_api_request.toml b/rules/linux/command_and_control_telegram_api_request.toml index 7c6867e61..ee1d86334 100644 --- a/rules/linux/command_and_control_telegram_api_request.toml +++ b/rules/linux/command_and_control_telegram_api_request.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/29" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -120,17 +120,27 @@ process.name in ("curl", "wget") and process.command_line like "*api.telegram.or [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" - [[rule.threat.technique]] - name = "Application Layer Protocol" - id = "T1071" - reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" - [[rule.threat.technique.subtechnique]] - name = "Web Protocols" - id = "T1071.001" - reference = "https://attack.mitre.org/techniques/T1071/001/" +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" + +[[rule.threat.technique.subtechnique]] +id = "T1102.002" +name = "Bidirectional Communication" +reference = "https://attack.mitre.org/techniques/T1102/002/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/command_and_control_tunneling_via_earthworm.toml b/rules/linux/command_and_control_tunneling_via_earthworm.toml index be519817d..4146d2eb9 100644 --- a/rules/linux/command_and_control_tunneling_via_earthworm.toml +++ b/rules/linux/command_and_control_tunneling_via_earthworm.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/12" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -177,6 +177,11 @@ process.args : "-s" and process.args : "-d" and process.args : "rssocks" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/linux/credential_access_aws_creds_search_inside_container.toml b/rules/linux/credential_access_aws_creds_search_inside_container.toml index 77439cd44..809b71661 100644 --- a/rules/linux/credential_access_aws_creds_search_inside_container.toml +++ b/rules/linux/credential_access_aws_creds_search_inside_container.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -116,3 +116,29 @@ reference = "https://attack.mitre.org/techniques/T1552/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/linux/credential_access_collection_sensitive_files.toml b/rules/linux/credential_access_collection_sensitive_files.toml index 71d52ec71..537425e98 100644 --- a/rules/linux/credential_access_collection_sensitive_files.toml +++ b/rules/linux/credential_access_collection_sensitive_files.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/22" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -171,6 +171,11 @@ reference = "https://attack.mitre.org/tactics/TA0006/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" @@ -185,7 +190,6 @@ reference = "https://attack.mitre.org/techniques/T1560/001/" id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.command_line", "process.parent.executable"] diff --git a/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml b/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml index 417321d89..160f0356f 100644 --- a/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml +++ b/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -119,6 +119,11 @@ reference = "https://attack.mitre.org/tactics/TA0006/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" diff --git a/rules/linux/credential_access_credential_dumping.toml b/rules/linux/credential_access_credential_dumping.toml index 777c602f0..4b773d256 100644 --- a/rules/linux/credential_access_credential_dumping.toml +++ b/rules/linux/credential_access_credential_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/27" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -121,3 +121,16 @@ reference = "https://attack.mitre.org/techniques/T1003/008/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/linux/credential_access_gdb_init_process_hooking.toml b/rules/linux/credential_access_gdb_init_process_hooking.toml index 646c05881..fe09ce662 100644 --- a/rules/linux/credential_access_gdb_init_process_hooking.toml +++ b/rules/linux/credential_access_gdb_init_process_hooking.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,3 +122,16 @@ reference = "https://attack.mitre.org/techniques/T1003/007/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/linux/credential_access_gdb_process_hooking.toml b/rules/linux/credential_access_gdb_process_hooking.toml index af461be6f..a8d9e3c98 100644 --- a/rules/linux/credential_access_gdb_process_hooking.toml +++ b/rules/linux/credential_access_gdb_process_hooking.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,19 +87,36 @@ process.args != "1" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.007" name = "Proc Filesystem" reference = "https://attack.mitre.org/techniques/T1003/007/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + +[[rule.threat.technique.subtechnique]] +id = "T1055.008" +name = "Ptrace System Calls" +reference = "https://attack.mitre.org/techniques/T1055/008/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/credential_access_gh_auth_via_nodejs.toml b/rules/linux/credential_access_gh_auth_via_nodejs.toml index 1ab982a08..0fbe02392 100644 --- a/rules/linux/credential_access_gh_auth_via_nodejs.toml +++ b/rules/linux/credential_access_gh_auth_via_nodejs.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/18" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -69,16 +69,16 @@ process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" - [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" @@ -96,3 +96,21 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/credential_access_kubernetes_service_account_secret_access.toml b/rules/linux/credential_access_kubernetes_service_account_secret_access.toml index b4054ccf7..a81e911e3 100644 --- a/rules/linux/credential_access_kubernetes_service_account_secret_access.toml +++ b/rules/linux/credential_access_kubernetes_service_account_secret_access.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/17" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -134,15 +134,20 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" -[[rule.threat.technique]] -id = "T1528" -name = "Steal Application Access Token" -reference = "https://attack.mitre.org/techniques/T1528/" +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" [rule.threat.tactic] id = "TA0006" @@ -161,3 +166,16 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/linux/credential_access_manual_memory_dumping.toml b/rules/linux/credential_access_manual_memory_dumping.toml index d6f5ffe21..5cfc95bc8 100644 --- a/rules/linux/credential_access_manual_memory_dumping.toml +++ b/rules/linux/credential_access_manual_memory_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/25" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -129,3 +129,16 @@ reference = "https://attack.mitre.org/techniques/T1212/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml index 020628dd4..968fb29c8 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/21" integration = ["system"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -115,3 +115,21 @@ reference = "https://attack.mitre.org/techniques/T1110/003/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml index 8f8c9f7c1..f49bfa664 100644 --- a/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml +++ b/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/14" integration = ["system"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -117,3 +117,16 @@ reference = "https://attack.mitre.org/techniques/T1110/003/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/linux/credential_access_proc_credential_dumping.toml b/rules/linux/credential_access_proc_credential_dumping.toml index f543e3ff5..1ffd1eadd 100644 --- a/rules/linux/credential_access_proc_credential_dumping.toml +++ b/rules/linux/credential_access_proc_credential_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/26" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -131,3 +131,16 @@ reference = "https://attack.mitre.org/techniques/T1212/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml b/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml index 0b636c1f0..a1fe4c1ad 100644 --- a/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml +++ b/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -117,3 +117,16 @@ reference = "https://attack.mitre.org/techniques/T1552/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/linux/credential_access_ssh_backdoor_log.toml b/rules/linux/credential_access_ssh_backdoor_log.toml index 1a136471d..90c1c3704 100644 --- a/rules/linux/credential_access_ssh_backdoor_log.toml +++ b/rules/linux/credential_access_ssh_backdoor_log.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/21" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -170,3 +170,21 @@ reference = "https://attack.mitre.org/techniques/T1554/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1074" +name = "Data Staged" +reference = "https://attack.mitre.org/techniques/T1074/" + +[[rule.threat.technique.subtechnique]] +id = "T1074.001" +name = "Local Data Staging" +reference = "https://attack.mitre.org/techniques/T1074/001/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/linux/credential_access_ssh_password_grabbing_via_strace.toml b/rules/linux/credential_access_ssh_password_grabbing_via_strace.toml index feb935874..449714c31 100644 --- a/rules/linux/credential_access_ssh_password_grabbing_via_strace.toml +++ b/rules/linux/credential_access_ssh_password_grabbing_via_strace.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/10" integration = ["endpoint"] maturity = "production" -updated_date = "2025/11/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -76,6 +76,11 @@ sequence by host.id with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1056" +name = "Input Capture" +reference = "https://attack.mitre.org/techniques/T1056/" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" diff --git a/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml b/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml index c58ad162a..effcb2095 100644 --- a/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml +++ b/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/22" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/29" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -182,31 +182,41 @@ sequence by host.id, process.parent.entity_id with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.005" name = "Cloud Instance Metadata API" reference = "https://attack.mitre.org/techniques/T1552/005/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + [[rule.threat.technique]] id = "T1580" name = "Cloud Infrastructure Discovery" reference = "https://attack.mitre.org/techniques/T1580/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml b/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml index 6b076f4a6..b340bee65 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/28" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -123,3 +123,16 @@ reference = "https://attack.mitre.org/techniques/T1562/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml index f1d091298..eea9e5bae 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/22" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -127,7 +127,25 @@ id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" +[[rule.threat.technique.subtechnique]] +id = "T1562.004" +name = "Disable or Modify System Firewall" +reference = "https://attack.mitre.org/techniques/T1562/004/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index 716db12a6..b3ff2f7b3 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/27" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -141,3 +141,16 @@ reference = "https://attack.mitre.org/techniques/T1562/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/linux/defense_evasion_authorized_keys_file_deletion.toml b/rules/linux/defense_evasion_authorized_keys_file_deletion.toml index b1c2b0ae4..a7383503d 100644 --- a/rules/linux/defense_evasion_authorized_keys_file_deletion.toml +++ b/rules/linux/defense_evasion_authorized_keys_file_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -118,3 +118,16 @@ reference = "https://attack.mitre.org/techniques/T1070/004/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1531" +name = "Account Access Removal" +reference = "https://attack.mitre.org/techniques/T1531/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml index 5b514d442..11e14f7eb 100644 --- a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/17" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -142,3 +142,21 @@ reference = "https://attack.mitre.org/techniques/T1140/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1132" +name = "Data Encoding" +reference = "https://attack.mitre.org/techniques/T1132/" + +[[rule.threat.technique.subtechnique]] +id = "T1132.001" +name = "Standard Encoding" +reference = "https://attack.mitre.org/techniques/T1132/001/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/defense_evasion_base64_decoding_activity.toml b/rules/linux/defense_evasion_base64_decoding_activity.toml index 375a8b62e..d0fee31c9 100644 --- a/rules/linux/defense_evasion_base64_decoding_activity.toml +++ b/rules/linux/defense_evasion_base64_decoding_activity.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -201,6 +201,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + [[rule.threat.technique]] id = "T1204" name = "User Execution" diff --git a/rules/linux/defense_evasion_bpf_program_tampering.toml b/rules/linux/defense_evasion_bpf_program_tampering.toml index f23dcdf26..9c269d4ee 100644 --- a/rules/linux/defense_evasion_bpf_program_tampering.toml +++ b/rules/linux/defense_evasion_bpf_program_tampering.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/20" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,6 +89,11 @@ process.name == "bpftool" and ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" @@ -99,11 +104,6 @@ id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_curl_or_wget_executed_via_lolbin.toml b/rules/linux/defense_evasion_curl_or_wget_executed_via_lolbin.toml index 05fae4d05..2f2895230 100644 --- a/rules/linux/defense_evasion_curl_or_wget_executed_via_lolbin.toml +++ b/rules/linux/defense_evasion_curl_or_wget_executed_via_lolbin.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/20" integration = ["endpoint"] maturity = "production" -updated_date = "2025/11/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -144,46 +144,56 @@ sequence with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1202" +name = "Indirect Command Execution" +reference = "https://attack.mitre.org/techniques/T1202/" - [[rule.threat.technique]] - id = "T1218" - name = "System Binary Proxy Execution" - reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - id = "TA0011" - name = "Command and Control" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - id = "TA0010" - name = "Exfiltration" - reference = "https://attack.mitre.org/tactics/TA0010/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/linux/defense_evasion_directory_creation_in_bin.toml b/rules/linux/defense_evasion_directory_creation_in_bin.toml index 450965c18..e1b62a2cd 100644 --- a/rules/linux/defense_evasion_directory_creation_in_bin.toml +++ b/rules/linux/defense_evasion_directory_creation_in_bin.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/01" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,6 +108,16 @@ not process.parent.executable in ("/usr/bin/make", "/bin/make") [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" diff --git a/rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml b/rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml index 8f0a8af6a..c0e2fdee5 100644 --- a/rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml +++ b/rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/28" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -112,3 +112,21 @@ reference = "https://attack.mitre.org/techniques/T1548/003/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/defense_evasion_dynamic_linker_file_creation.toml b/rules/linux/defense_evasion_dynamic_linker_file_creation.toml index 92d844476..7a626cecb 100644 --- a/rules/linux/defense_evasion_dynamic_linker_file_creation.toml +++ b/rules/linux/defense_evasion_dynamic_linker_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/08" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -160,3 +160,21 @@ reference = "https://attack.mitre.org/techniques/T1574/006/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index 90b9c8b38..d879a0396 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/27" integration = ["auditd_manager", "crowdstrike", "endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -127,3 +127,15 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml index b838709d6..7eed59e94 100644 --- a/rules/linux/defense_evasion_file_mod_writable_dir.toml +++ b/rules/linux/defense_evasion_file_mod_writable_dir.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -131,11 +131,15 @@ id = "T1222" name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" +[[rule.threat.technique.subtechnique]] +id = "T1222.002" +name = "Linux and Mac File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/002/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.parent.executable", "process.command_line"] diff --git a/rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml b/rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml index 96000cee0..d2550c037 100644 --- a/rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml +++ b/rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/29" integration = ["auditd_manager", "crowdstrike", "endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -116,6 +116,11 @@ id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" diff --git a/rules/linux/defense_evasion_hex_payload_execution_via_utility.toml b/rules/linux/defense_evasion_hex_payload_execution_via_utility.toml index 62bddb868..8d95fcc7b 100644 --- a/rules/linux/defense_evasion_hex_payload_execution_via_utility.toml +++ b/rules/linux/defense_evasion_hex_payload_execution_via_utility.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -156,6 +156,16 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.011" +name = "Lua" +reference = "https://attack.mitre.org/techniques/T1059/011/" + [[rule.threat.technique]] id = "T1204" name = "User Execution" diff --git a/rules/linux/defense_evasion_interactive_shell_from_system_user.toml b/rules/linux/defense_evasion_interactive_shell_from_system_user.toml index 46ad1a215..a2affed2d 100644 --- a/rules/linux/defense_evasion_interactive_shell_from_system_user.toml +++ b/rules/linux/defense_evasion_interactive_shell_from_system_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -124,10 +124,15 @@ In Linux environments, system users are typically non-interactive and serve spec [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Defense Evasion" -id = "TA0005" -reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.003" +name = "Local Accounts" +reference = "https://attack.mitre.org/techniques/T1078/003/" [[rule.threat.technique]] id = "T1564" @@ -139,6 +144,28 @@ id = "T1564.002" name = "Hidden Users" reference = "https://attack.mitre.org/techniques/T1564/002/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml b/rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml index 1ac5aa2f5..c1bb6e2a7 100644 --- a/rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml +++ b/rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2026/03/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -126,45 +126,55 @@ sequence by host.id, process.parent.entity_id with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" - [[rule.threat.technique]] - name = "Obfuscated Files or Information" - id = "T1027" - reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" - [[rule.threat.technique]] - name = "Deobfuscate/Decode Files or Information" - id = "T1140" - reference = "https://attack.mitre.org/techniques/T1140/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" - [[rule.threat.technique]] - name = "User Execution" - id = "T1204" - reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1059.011" +name = "Lua" +reference = "https://attack.mitre.org/techniques/T1059/011/" - [[rule.threat.technique.subtechnique]] - name = "Malicious File" - id = "T1204.002" - reference = "https://attack.mitre.org/techniques/T1204/002/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/defense_evasion_kill_command_executed.toml b/rules/linux/defense_evasion_kill_command_executed.toml index 68a5e17a6..225fabde9 100644 --- a/rules/linux/defense_evasion_kill_command_executed.toml +++ b/rules/linux/defense_evasion_kill_command_executed.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,10 +103,20 @@ process.name:(kill or pkill or killall) and not ( [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Defense Evasion" -id = "TA0005" -reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.006" +name = "Indicator Blocking" +reference = "https://attack.mitre.org/techniques/T1562/006/" [[rule.threat.technique]] id = "T1564" @@ -118,24 +128,14 @@ id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" -[[rule.threat.technique]] -name = "Impair Defenses" -id = "T1562" -reference = "https://attack.mitre.org/techniques/T1562/" - -[[rule.threat.technique.subtechnique]] -name = "Indicator Blocking" -id = "T1562.006" -reference = "https://attack.mitre.org/techniques/T1562/006/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -146,6 +146,23 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.parent.executable"] diff --git a/rules/linux/defense_evasion_kthreadd_masquerading.toml b/rules/linux/defense_evasion_kthreadd_masquerading.toml index 847734d39..e002b267b 100644 --- a/rules/linux/defense_evasion_kthreadd_masquerading.toml +++ b/rules/linux/defense_evasion_kthreadd_masquerading.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -116,6 +116,11 @@ id = "T1036.004" name = "Masquerade Task or Service" reference = "https://attack.mitre.org/techniques/T1036/004/" +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" diff --git a/rules/linux/defense_evasion_ld_preload_cmdline.toml b/rules/linux/defense_evasion_ld_preload_cmdline.toml index 3ac927044..46324c56b 100644 --- a/rules/linux/defense_evasion_ld_preload_cmdline.toml +++ b/rules/linux/defense_evasion_ld_preload_cmdline.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -111,57 +111,74 @@ process.args:-c and process.command_line:(*LD_LIBRARY_PATH=* or *LD_PRELOAD=*) [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique]] - name = "Hijack Execution Flow" - id = "T1574" - reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" - [[rule.threat.technique.subtechnique]] - name = "Dynamic Linker Hijacking" - id = "T1574.006" - reference = "https://attack.mitre.org/techniques/T1574/006/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Persistence" - id = "TA0003" - reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique]] - name = "Hijack Execution Flow" - id = "T1574" - reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" - [[rule.threat.technique.subtechnique]] - name = "Dynamic Linker Hijacking" - id = "T1574.006" - reference = "https://attack.mitre.org/techniques/T1574/006/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Privilege Escalation" - id = "TA0004" - reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique]] - name = "Hijack Execution Flow" - id = "T1574" - reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" - [[rule.threat.technique.subtechnique]] - name = "Dynamic Linker Hijacking" - id = "T1574.006" - reference = "https://attack.mitre.org/techniques/T1574/006/" +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["process.parent.name", "process.command_line", "host.id"] diff --git a/rules/linux/defense_evasion_ld_so_creation.toml b/rules/linux/defense_evasion_ld_so_creation.toml index 8559b7e01..125a2f028 100644 --- a/rules/linux/defense_evasion_ld_so_creation.toml +++ b/rules/linux/defense_evasion_ld_so_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -124,6 +124,16 @@ id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_log_files_deleted.toml b/rules/linux/defense_evasion_log_files_deleted.toml index f0e1caa08..227b89f7c 100644 --- a/rules/linux/defense_evasion_log_files_deleted.toml +++ b/rules/linux/defense_evasion_log_files_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -133,6 +133,11 @@ id = "T1070.002" name = "Clear Linux or Mac System Logs" reference = "https://attack.mitre.org/techniques/T1070/002/" +[[rule.threat.technique.subtechnique]] +id = "T1070.004" +name = "File Deletion" +reference = "https://attack.mitre.org/techniques/T1070/004/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_mount_execution.toml b/rules/linux/defense_evasion_mount_execution.toml index debb67bae..f2f493c7d 100644 --- a/rules/linux/defense_evasion_mount_execution.toml +++ b/rules/linux/defense_evasion_mount_execution.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -118,6 +118,11 @@ id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" +[[rule.threat.technique.subtechnique]] +id = "T1564.001" +name = "Hidden Files and Directories" +reference = "https://attack.mitre.org/techniques/T1564/001/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_multi_base64_decoding_attempt.toml b/rules/linux/defense_evasion_multi_base64_decoding_attempt.toml index 14c9ecdfc..2a9ade9c7 100644 --- a/rules/linux/defense_evasion_multi_base64_decoding_attempt.toml +++ b/rules/linux/defense_evasion_multi_base64_decoding_attempt.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/24" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -120,45 +120,50 @@ sequence by process.parent.entity_id with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" - [[rule.threat.technique]] - name = "Obfuscated Files or Information" - id = "T1027" - reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" - [[rule.threat.technique]] - name = "Deobfuscate/Decode Files or Information" - id = "T1140" - reference = "https://attack.mitre.org/techniques/T1140/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" - [[rule.threat.technique]] - name = "User Execution" - id = "T1204" - reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" - [[rule.threat.technique.subtechnique]] - name = "Malicious File" - id = "T1204.002" - reference = "https://attack.mitre.org/techniques/T1204/002/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/defense_evasion_rename_esxi_files.toml b/rules/linux/defense_evasion_rename_esxi_files.toml index 42658fe2b..e6c652ffe 100644 --- a/rules/linux/defense_evasion_rename_esxi_files.toml +++ b/rules/linux/defense_evasion_rename_esxi_files.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -123,3 +123,16 @@ reference = "https://attack.mitre.org/techniques/T1036/003/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1486" +name = "Data Encrypted for Impact" +reference = "https://attack.mitre.org/techniques/T1486/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml b/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml index 215cc1c7e..3ea1172ce 100644 --- a/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml +++ b/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/04" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,3 +92,47 @@ reference = "https://attack.mitre.org/techniques/T1218/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + +[[rule.threat.technique]] +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/defense_evasion_suspicious_path_mounted.toml b/rules/linux/defense_evasion_suspicious_path_mounted.toml index 33accceab..15fcb6f6a 100644 --- a/rules/linux/defense_evasion_suspicious_path_mounted.toml +++ b/rules/linux/defense_evasion_suspicious_path_mounted.toml @@ -3,7 +3,7 @@ creation_date = "2025/04/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_symlink_binary_to_writable_dir.toml b/rules/linux/defense_evasion_symlink_binary_to_writable_dir.toml index 5f5aad743..144405b24 100644 --- a/rules/linux/defense_evasion_symlink_binary_to_writable_dir.toml +++ b/rules/linux/defense_evasion_symlink_binary_to_writable_dir.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -90,26 +90,25 @@ process.parent.args:(/usr/bin/qemu-aarch64-static or /usr/sbin/weak-modules or / [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1202" +name = "Indirect Command Execution" +reference = "https://attack.mitre.org/techniques/T1202/" - [[rule.threat.technique]] - name = "Hijack Execution Flow" - id = "T1574" - reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique]] +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" - [[rule.threat.technique]] - name = "Indirect Command Execution" - id = "T1202" - reference = "https://attack.mitre.org/techniques/T1202/" - - [[rule.threat.technique]] - name = "Hide Artifacts" - id = "T1564" - reference = "https://attack.mitre.org/techniques/T1564/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.parent.name"] diff --git a/rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml b/rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml index b1e0758e1..4f3b999ca 100644 --- a/rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml +++ b/rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/29" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,25 +105,30 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Defense Evasion" -id = "TA0005" -reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1553" +name = "Subvert Trust Controls" +reference = "https://attack.mitre.org/techniques/T1553/" [[rule.threat.technique]] -name = "Impair Defenses" id = "T1562" +name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" [[rule.threat.technique.subtechnique]] -name = "Indicator Blocking" +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + +[[rule.threat.technique.subtechnique]] id = "T1562.006" +name = "Indicator Blocking" reference = "https://attack.mitre.org/techniques/T1562/006/" -[[rule.threat.technique]] -name = "Subvert Trust Controls" -id = "T1553" -reference = "https://attack.mitre.org/techniques/T1553/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/linux/defense_evasion_unusual_preload_env_vars.toml b/rules/linux/defense_evasion_unusual_preload_env_vars.toml index fb5343a26..518e5acd5 100644 --- a/rules/linux/defense_evasion_unusual_preload_env_vars.toml +++ b/rules/linux/defense_evasion_unusual_preload_env_vars.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -147,6 +147,23 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["process.env_vars"] diff --git a/rules/linux/defense_evasion_user_or_group_deletion.toml b/rules/linux/defense_evasion_user_or_group_deletion.toml index dcf6cbd1e..697f60f57 100644 --- a/rules/linux/defense_evasion_user_or_group_deletion.toml +++ b/rules/linux/defense_evasion_user_or_group_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/08" integration = ["system"] maturity = "production" -updated_date = "2026/01/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,3 +94,16 @@ reference = "https://attack.mitre.org/techniques/T1070/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1531" +name = "Account Access Removal" +reference = "https://attack.mitre.org/techniques/T1531/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml b/rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml index 533fff59b..9913c5751 100644 --- a/rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml +++ b/rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/11" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,6 +103,16 @@ not process.executable:("./usr/bin/podman" or "./install" or /tmp/vmis.*/install [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1070" +name = "Indicator Removal" +reference = "https://attack.mitre.org/techniques/T1070/" + +[[rule.threat.technique.subtechnique]] +id = "T1070.002" +name = "Clear Linux or Mac System Logs" +reference = "https://attack.mitre.org/techniques/T1070/002/" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" @@ -143,7 +153,6 @@ framework = "MITRE ATT&CK" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.new_terms] field = "new_terms_fields" value = ["file.path", "process.executable"] diff --git a/rules/linux/discovery_docker_socket_discovery.toml b/rules/linux/discovery_docker_socket_discovery.toml index 33a3be52a..73630bb0d 100644 --- a/rules/linux/discovery_docker_socket_discovery.toml +++ b/rules/linux/discovery_docker_socket_discovery.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -132,3 +132,16 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/discovery_dynamic_linker_via_od.toml b/rules/linux/discovery_dynamic_linker_via_od.toml index 40420f501..242d0bcb4 100644 --- a/rules/linux/discovery_dynamic_linker_via_od.toml +++ b/rules/linux/discovery_dynamic_linker_via_od.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -117,7 +117,30 @@ id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/discovery_esxi_software_via_find.toml b/rules/linux/discovery_esxi_software_via_find.toml index a2e43bc8e..ab2c7bb23 100644 --- a/rules/linux/discovery_esxi_software_via_find.toml +++ b/rules/linux/discovery_esxi_software_via_find.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -113,6 +113,11 @@ not ?process.parent.executable == "/usr/lib/vmware/viewagent/bin/uninstall_viewa [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [[rule.threat.technique]] id = "T1518" name = "Software Discovery" diff --git a/rules/linux/discovery_esxi_software_via_grep.toml b/rules/linux/discovery_esxi_software_via_grep.toml index af3f9c6de..deab74f05 100644 --- a/rules/linux/discovery_esxi_software_via_grep.toml +++ b/rules/linux/discovery_esxi_software_via_grep.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -113,6 +113,11 @@ not ?process.parent.executable in ("/usr/share/qemu/init/qemu-kvm-init", "/etc/s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [[rule.threat.technique]] id = "T1518" name = "Software Discovery" diff --git a/rules/linux/discovery_kernel_instrumentation_discovery_via_kprobes_and_tracefs.toml b/rules/linux/discovery_kernel_instrumentation_discovery_via_kprobes_and_tracefs.toml index 401470b34..2206fa79c 100644 --- a/rules/linux/discovery_kernel_instrumentation_discovery_via_kprobes_and_tracefs.toml +++ b/rules/linux/discovery_kernel_instrumentation_discovery_via_kprobes_and_tracefs.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/20" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,6 +92,11 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index e78a5b707..d456bfc7f 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -126,11 +126,15 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1518" +name = "Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/linux/discovery_kernel_seeking.toml b/rules/linux/discovery_kernel_seeking.toml index f7159bd28..d6403ec34 100644 --- a/rules/linux/discovery_kernel_seeking.toml +++ b/rules/linux/discovery_kernel_seeking.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -134,3 +134,16 @@ reference = "https://attack.mitre.org/techniques/T1014/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/linux/discovery_kernel_unpacking.toml b/rules/linux/discovery_kernel_unpacking.toml index 5fd3d44ce..d41f42360 100644 --- a/rules/linux/discovery_kernel_unpacking.toml +++ b/rules/linux/discovery_kernel_unpacking.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -128,6 +128,11 @@ id = "T1014" name = "Rootkit" reference = "https://attack.mitre.org/techniques/T1014/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/discovery_kubeconfig_file_discovery.toml b/rules/linux/discovery_kubeconfig_file_discovery.toml index 499b8b47a..48e5d0fee 100644 --- a/rules/linux/discovery_kubeconfig_file_discovery.toml +++ b/rules/linux/discovery_kubeconfig_file_discovery.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -141,6 +141,11 @@ process where host.os.type == "linux" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [[rule.threat.technique]] id = "T1613" name = "Container and Resource Discovery" @@ -150,3 +155,21 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/discovery_linux_hping_activity.toml b/rules/linux/discovery_linux_hping_activity.toml index 13cafc919..bd67464f5 100644 --- a/rules/linux/discovery_linux_hping_activity.toml +++ b/rules/linux/discovery_linux_hping_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -128,14 +128,18 @@ process where host.os.type == "linux" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/discovery_linux_nping_activity.toml b/rules/linux/discovery_linux_nping_activity.toml index 0e0202846..309a3429a 100644 --- a/rules/linux/discovery_linux_nping_activity.toml +++ b/rules/linux/discovery_linux_nping_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -128,14 +128,26 @@ process where host.os.type == "linux" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1498" +name = "Network Denial of Service" +reference = "https://attack.mitre.org/techniques/T1498/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml b/rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml index 221cc4ff0..2ef9d2205 100644 --- a/rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml +++ b/rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/25" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -116,6 +116,11 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1135" +name = "Network Share Discovery" +reference = "https://attack.mitre.org/techniques/T1135/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/linux/discovery_pam_version_discovery.toml b/rules/linux/discovery_pam_version_discovery.toml index fd9295a70..c714e5ca0 100644 --- a/rules/linux/discovery_pam_version_discovery.toml +++ b/rules/linux/discovery_pam_version_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -127,6 +127,11 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1518" +name = "Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/linux/discovery_ping_sweep_detected.toml b/rules/linux/discovery_ping_sweep_detected.toml index 1cffefe92..614d53eda 100644 --- a/rules/linux/discovery_ping_sweep_detected.toml +++ b/rules/linux/discovery_ping_sweep_detected.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/04" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,6 +110,11 @@ process.name:(ping or nping or hping or hping2 or hping3 or nc or ncat or netcat [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1018" +name = "Remote System Discovery" +reference = "https://attack.mitre.org/techniques/T1018/" + [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" @@ -119,7 +124,6 @@ reference = "https://attack.mitre.org/techniques/T1046/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.threshold] field = ["host.id", "process.parent.entity_id", "process.executable"] value = 1 diff --git a/rules/linux/discovery_polkit_version_discovery.toml b/rules/linux/discovery_polkit_version_discovery.toml index 2420b1dc1..12be701fa 100644 --- a/rules/linux/discovery_polkit_version_discovery.toml +++ b/rules/linux/discovery_polkit_version_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -115,6 +115,11 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1518" +name = "Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/linux/discovery_private_key_password_searching_activity.toml b/rules/linux/discovery_private_key_password_searching_activity.toml index 413d337fc..b5aaf6856 100644 --- a/rules/linux/discovery_private_key_password_searching_activity.toml +++ b/rules/linux/discovery_private_key_password_searching_activity.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,6 +110,11 @@ process.command_line like ("*/home/*", "*/etc/ssh*", "*/root/*", "/") [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -128,6 +133,11 @@ id = "T1552.001" name = "Credentials In Files" reference = "https://attack.mitre.org/techniques/T1552/001/" +[[rule.threat.technique.subtechnique]] +id = "T1552.004" +name = "Private Keys" +reference = "https://attack.mitre.org/techniques/T1552/004/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/linux/discovery_process_capabilities.toml b/rules/linux/discovery_process_capabilities.toml index 41b4c8bda..17213c9ac 100644 --- a/rules/linux/discovery_process_capabilities.toml +++ b/rules/linux/discovery_process_capabilities.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/09" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,6 +105,11 @@ id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/linux/discovery_security_file_access_via_common_utility.toml b/rules/linux/discovery_security_file_access_via_common_utility.toml index c80d99582..8651c5b6c 100644 --- a/rules/linux/discovery_security_file_access_via_common_utility.toml +++ b/rules/linux/discovery_security_file_access_via_common_utility.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,7 +125,30 @@ process.args like ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml b/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml index 6f3aab1b3..a7db2fe66 100644 --- a/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml +++ b/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -150,6 +150,11 @@ from logs-endpoint.events.network-* metadata _id, _index, _version [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1018" +name = "Remote System Discovery" +reference = "https://attack.mitre.org/techniques/T1018/" + [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" diff --git a/rules/linux/discovery_sudo_allowed_command_enumeration.toml b/rules/linux/discovery_sudo_allowed_command_enumeration.toml index 9c5015f5d..4dc21585e 100644 --- a/rules/linux/discovery_sudo_allowed_command_enumeration.toml +++ b/rules/linux/discovery_sudo_allowed_command_enumeration.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,14 +106,41 @@ process where host.os.type == "linux" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1033" name = "System Owner/User Discovery" reference = "https://attack.mitre.org/techniques/T1033/" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + +[[rule.threat.technique.subtechnique]] +id = "T1069.001" +name = "Local Groups" +reference = "https://attack.mitre.org/techniques/T1069/001/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/discovery_suspicious_memory_grep_activity.toml b/rules/linux/discovery_suspicious_memory_grep_activity.toml index 56148d7db..7830ed690 100644 --- a/rules/linux/discovery_suspicious_memory_grep_activity.toml +++ b/rules/linux/discovery_suspicious_memory_grep_activity.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/05" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -90,6 +90,11 @@ id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml b/rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml index e78382373..4bf51659a 100644 --- a/rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml +++ b/rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -146,3 +146,16 @@ reference = "https://attack.mitre.org/techniques/T1595/" id = "TA0043" name = "Reconnaissance" reference = "https://attack.mitre.org/tactics/TA0043/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1040" +name = "Network Sniffing" +reference = "https://attack.mitre.org/techniques/T1040/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/discovery_suspicious_which_command_execution.toml b/rules/linux/discovery_suspicious_which_command_execution.toml index 732545b5d..70658812d 100644 --- a/rules/linux/discovery_suspicious_which_command_execution.toml +++ b/rules/linux/discovery_suspicious_which_command_execution.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,14 +84,23 @@ process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + +[[rule.threat.technique]] +id = "T1518" +name = "Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/discovery_unusual_user_enumeration_via_id.toml b/rules/linux/discovery_unusual_user_enumeration_via_id.toml index e855e9a32..bd4ae498b 100644 --- a/rules/linux/discovery_unusual_user_enumeration_via_id.toml +++ b/rules/linux/discovery_unusual_user_enumeration_via_id.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -109,6 +109,26 @@ id = "T1033" name = "System Owner/User Discovery" reference = "https://attack.mitre.org/techniques/T1033/" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + +[[rule.threat.technique.subtechnique]] +id = "T1069.001" +name = "Local Groups" +reference = "https://attack.mitre.org/techniques/T1069/001/" + +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" + +[[rule.threat.technique.subtechnique]] +id = "T1087.001" +name = "Local Account" +reference = "https://attack.mitre.org/techniques/T1087/001/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/linux/discovery_virtual_machine_fingerprinting.toml b/rules/linux/discovery_virtual_machine_fingerprinting.toml index db90a1ad7..4fc88b14b 100644 --- a/rules/linux/discovery_virtual_machine_fingerprinting.toml +++ b/rules/linux/discovery_virtual_machine_fingerprinting.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/27" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -142,7 +142,35 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1497" +name = "Virtualization/Sandbox Evasion" +reference = "https://attack.mitre.org/techniques/T1497/" + +[[rule.threat.technique.subtechnique]] +id = "T1497.001" +name = "System Checks" +reference = "https://attack.mitre.org/techniques/T1497/001/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1497" +name = "Virtualization/Sandbox Evasion" +reference = "https://attack.mitre.org/techniques/T1497/" + +[[rule.threat.technique.subtechnique]] +id = "T1497.001" +name = "System Checks" +reference = "https://attack.mitre.org/techniques/T1497/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/discovery_yum_dnf_plugin_detection.toml b/rules/linux/discovery_yum_dnf_plugin_detection.toml index 2d0397313..1672b6a16 100644 --- a/rules/linux/discovery_yum_dnf_plugin_detection.toml +++ b/rules/linux/discovery_yum_dnf_plugin_detection.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/25" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -117,6 +117,16 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + +[[rule.threat.technique]] +id = "T1518" +name = "Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml index 6310d47ea..a6c74f46c 100644 --- a/rules/linux/execution_abnormal_process_id_file_created.toml +++ b/rules/linux/execution_abnormal_process_id_file_created.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -153,6 +153,23 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["process.name", "file.name"] diff --git a/rules/linux/execution_container_management_binary_launched_inside_container.toml b/rules/linux/execution_container_management_binary_launched_inside_container.toml index f32d2b566..c2cb790e0 100644 --- a/rules/linux/execution_container_management_binary_launched_inside_container.toml +++ b/rules/linux/execution_container_management_binary_launched_inside_container.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,3 +122,16 @@ reference = "https://attack.mitre.org/techniques/T1609/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/linux/execution_cupsd_foomatic_rip_file_creation.toml b/rules/linux/execution_cupsd_foomatic_rip_file_creation.toml index ecf137688..b467de424 100644 --- a/rules/linux/execution_cupsd_foomatic_rip_file_creation.toml +++ b/rules/linux/execution_cupsd_foomatic_rip_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/27" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -123,6 +123,16 @@ sequence by host.id with maxspan=10s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" diff --git a/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml b/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml index e30294628..b2d2d1ad4 100644 --- a/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml +++ b/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/27" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -134,6 +134,16 @@ process where host.os.type == "linux" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" diff --git a/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml b/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml index 9a89825b3..02db558cf 100644 --- a/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml +++ b/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/27" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -132,14 +132,23 @@ process where host.os.type == "linux" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml b/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml index 213932467..9f190ca97 100644 --- a/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml +++ b/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/27" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -148,14 +148,80 @@ process.parent.name in ("foomatic-rip", "cupsd") and process.command_line like ( [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1129" +name = "Shared Modules" +reference = "https://attack.mitre.org/techniques/T1129/" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + +[[rule.threat.technique.subtechnique]] +id = "T1003.008" +name = "/etc/passwd and /etc/shadow" +reference = "https://attack.mitre.org/techniques/T1003/008/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.003" +name = "Cron" +reference = "https://attack.mitre.org/techniques/T1053/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/execution_egress_connection_from_entrypoint_in_container.toml b/rules/linux/execution_egress_connection_from_entrypoint_in_container.toml index 4f987d0a0..d0e7ede71 100644 --- a/rules/linux/execution_egress_connection_from_entrypoint_in_container.toml +++ b/rules/linux/execution_egress_connection_from_entrypoint_in_container.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/10" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -113,3 +113,16 @@ reference = "https://attack.mitre.org/techniques/T1611/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/execution_executable_stack_execution.toml b/rules/linux/execution_executable_stack_execution.toml index db15ac7e5..35222dec4 100644 --- a/rules/linux/execution_executable_stack_execution.toml +++ b/rules/linux/execution_executable_stack_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["system"] maturity = "production" -updated_date = "2025/01/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,3 +105,16 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1620" +name = "Reflective Code Loading" +reference = "https://attack.mitre.org/techniques/T1620/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/execution_file_execution_followed_by_deletion.toml b/rules/linux/execution_file_execution_followed_by_deletion.toml index d2a3a87c9..b597a771b 100644 --- a/rules/linux/execution_file_execution_followed_by_deletion.toml +++ b/rules/linux/execution_file_execution_followed_by_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -123,3 +123,34 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1070" +name = "Indicator Removal" +reference = "https://attack.mitre.org/techniques/T1070/" + +[[rule.threat.technique.subtechnique]] +id = "T1070.004" +name = "File Deletion" +reference = "https://attack.mitre.org/techniques/T1070/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/execution_file_made_executable_via_chmod_inside_container.toml b/rules/linux/execution_file_made_executable_via_chmod_inside_container.toml index 18431eba5..48c6e1b68 100644 --- a/rules/linux/execution_file_made_executable_via_chmod_inside_container.toml +++ b/rules/linux/execution_file_made_executable_via_chmod_inside_container.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -123,7 +123,35 @@ id = "T1222.002" name = "Linux and Mac File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/002/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml index 59cdf65a4..308b44526 100644 --- a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml +++ b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/10/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -161,3 +161,34 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" + +[[rule.threat.technique.subtechnique]] +id = "T1048.003" +name = "Exfiltration Over Unencrypted Non-C2 Protocol" +reference = "https://attack.mitre.org/techniques/T1048/003/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/linux/execution_kubectl_apply_pod_from_url.toml b/rules/linux/execution_kubectl_apply_pod_from_url.toml index 7358ddd13..93e9de69f 100644 --- a/rules/linux/execution_kubectl_apply_pod_from_url.toml +++ b/rules/linux/execution_kubectl_apply_pod_from_url.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_m maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -116,16 +116,16 @@ not process.args like~ ("*download.elastic.co*", "*github.com/kubernetes-sigs/*" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1610" -name = "Deploy Container" -reference = "https://attack.mitre.org/techniques/T1610/" - [[rule.threat.technique]] id = "T1609" name = "Container Administration Command" reference = "https://attack.mitre.org/techniques/T1609/" +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/linux/execution_nc_listener_via_rlwrap.toml b/rules/linux/execution_nc_listener_via_rlwrap.toml index 7e6e8f09b..48f29f640 100644 --- a/rules/linux/execution_nc_listener_via_rlwrap.toml +++ b/rules/linux/execution_nc_listener_via_rlwrap.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -128,3 +128,16 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml b/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml index b094488da..5e3fa776b 100644 --- a/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml +++ b/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/13" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -111,6 +111,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique]] +id = "T1106" +name = "Native API" +reference = "https://attack.mitre.org/techniques/T1106/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -128,3 +133,16 @@ reference = "https://attack.mitre.org/techniques/T1071/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1620" +name = "Reflective Code Loading" +reference = "https://attack.mitre.org/techniques/T1620/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/execution_network_event_post_compilation.toml b/rules/linux/execution_network_event_post_compilation.toml index 42342789d..57187ffed 100644 --- a/rules/linux/execution_network_event_post_compilation.toml +++ b/rules/linux/execution_network_event_post_compilation.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -135,6 +135,11 @@ id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/execution_perl_tty_shell.toml b/rules/linux/execution_perl_tty_shell.toml index fdf098633..01e048ff1 100644 --- a/rules/linux/execution_perl_tty_shell.toml +++ b/rules/linux/execution_perl_tty_shell.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/16" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -130,6 +130,11 @@ id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/linux/execution_potential_hack_tool_executed.toml b/rules/linux/execution_potential_hack_tool_executed.toml index c3d550b7b..267e8cb0e 100644 --- a/rules/linux/execution_potential_hack_tool_executed.toml +++ b/rules/linux/execution_potential_hack_tool_executed.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -133,3 +133,84 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" + +[[rule.threat.technique.subtechnique]] +id = "T1110.001" +name = "Password Guessing" +reference = "https://attack.mitre.org/techniques/T1110/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1110.002" +name = "Password Cracking" +reference = "https://attack.mitre.org/techniques/T1110/002/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" + +[[rule.threat.technique]] +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" + +[[rule.threat.technique.subtechnique]] +id = "T1595.002" +name = "Vulnerability Scanning" +reference = "https://attack.mitre.org/techniques/T1595/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1595.003" +name = "Wordlist Scanning" +reference = "https://attack.mitre.org/techniques/T1595/003/" + +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" diff --git a/rules/linux/execution_potentially_overly_permissive_container_creation.toml b/rules/linux/execution_potentially_overly_permissive_container_creation.toml index 69ded33a6..dd1099bb8 100644 --- a/rules/linux/execution_potentially_overly_permissive_container_creation.toml +++ b/rules/linux/execution_potentially_overly_permissive_container_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/10" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,6 +122,11 @@ id = "T1609" name = "Container Administration Command" reference = "https://attack.mitre.org/techniques/T1609/" +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -139,7 +144,6 @@ reference = "https://attack.mitre.org/techniques/T1611/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [rule.new_terms] field = "new_terms_fields" value = ["process.parent.executable"] diff --git a/rules/linux/execution_process_backgrounded_by_unusual_parent.toml b/rules/linux/execution_process_backgrounded_by_unusual_parent.toml index b89fc96dc..dcfef99c8 100644 --- a/rules/linux/execution_process_backgrounded_by_unusual_parent.toml +++ b/rules/linux/execution_process_backgrounded_by_unusual_parent.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/29" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -124,6 +124,11 @@ id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -132,6 +137,16 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.009" +name = "Break Process Trees" +reference = "https://attack.mitre.org/techniques/T1036/009/" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" @@ -141,7 +156,6 @@ reference = "https://attack.mitre.org/techniques/T1564/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.new_terms] field = "new_terms_fields" value = ["process.parent.name"] diff --git a/rules/linux/execution_process_started_from_process_id_file.toml b/rules/linux/execution_process_started_from_process_id_file.toml index 9188badd5..6ea1de11b 100644 --- a/rules/linux/execution_process_started_from_process_id_file.toml +++ b/rules/linux/execution_process_started_from_process_id_file.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/11" integration = ["endpoint", "auditd_manager", "crowdstrike"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -88,14 +88,36 @@ process where host.os.type == "linux" and event.type == "start" and user.id == " [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.008" +name = "Masquerade File Type" +reference = "https://attack.mitre.org/techniques/T1036/008/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/execution_process_started_in_shared_memory_directory.toml b/rules/linux/execution_process_started_in_shared_memory_directory.toml index 1f0801f42..bec9a7025 100644 --- a/rules/linux/execution_process_started_in_shared_memory_directory.toml +++ b/rules/linux/execution_process_started_in_shared_memory_directory.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/10" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -128,3 +128,16 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index c8eff1779..b6bdfa7b7 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/15" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -117,6 +117,11 @@ id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [[rule.threat.technique.subtechnique]] id = "T1059.006" name = "Python" diff --git a/rules/linux/execution_remote_code_execution_via_postgresql.toml b/rules/linux/execution_remote_code_execution_via_postgresql.toml index 1cecb6685..177c05598 100644 --- a/rules/linux/execution_remote_code_execution_via_postgresql.toml +++ b/rules/linux/execution_remote_code_execution_via_postgresql.toml @@ -2,7 +2,7 @@ creation_date = "2022/06/20" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -124,3 +124,16 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/linux/execution_shell_evasion_linux_binary.toml b/rules/linux/execution_shell_evasion_linux_binary.toml index a1fd996d2..82295dbf9 100644 --- a/rules/linux/execution_shell_evasion_linux_binary.toml +++ b/rules/linux/execution_shell_evasion_linux_binary.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/06" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -194,19 +194,31 @@ process where host.os.type == "linux" and event.type == "start" and process.exec [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1202" +name = "Indirect Command Execution" +reference = "https://attack.mitre.org/techniques/T1202/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/execution_shell_openssl_client_or_server.toml b/rules/linux/execution_shell_openssl_client_or_server.toml index b57a9c5eb..5d19d5276 100644 --- a/rules/linux/execution_shell_openssl_client_or_server.toml +++ b/rules/linux/execution_shell_openssl_client_or_server.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/30" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -136,6 +136,16 @@ id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique]] +id = "T1573" +name = "Encrypted Channel" +reference = "https://attack.mitre.org/techniques/T1573/" + +[[rule.threat.technique.subtechnique]] +id = "T1573.002" +name = "Asymmetric Cryptography" +reference = "https://attack.mitre.org/techniques/T1573/002/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/execution_shell_via_background_process.toml b/rules/linux/execution_shell_via_background_process.toml index 71f693444..665394590 100644 --- a/rules/linux/execution_shell_via_background_process.toml +++ b/rules/linux/execution_shell_via_background_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/20" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -129,6 +129,11 @@ id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/execution_shell_via_child_tcp_utility_linux.toml b/rules/linux/execution_shell_via_child_tcp_utility_linux.toml index b1d6944dd..86d6082bc 100644 --- a/rules/linux/execution_shell_via_child_tcp_utility_linux.toml +++ b/rules/linux/execution_shell_via_child_tcp_utility_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -131,6 +131,11 @@ id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml index 26b891475..460eaa351 100644 --- a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml +++ b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -131,6 +131,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -144,6 +149,11 @@ id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/execution_shell_via_meterpreter_linux.toml b/rules/linux/execution_shell_via_meterpreter_linux.toml index 8e7503976..4d45d18d0 100644 --- a/rules/linux/execution_shell_via_meterpreter_linux.toml +++ b/rules/linux/execution_shell_via_meterpreter_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/10" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -144,3 +144,31 @@ reference = "https://attack.mitre.org/techniques/T1071/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" + +[[rule.threat.technique.subtechnique]] +id = "T1087.001" +name = "Local Account" +reference = "https://attack.mitre.org/techniques/T1087/001/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/linux/execution_shell_via_suspicious_binary.toml b/rules/linux/execution_shell_via_suspicious_binary.toml index ed5b8943e..5b6fc4511 100644 --- a/rules/linux/execution_shell_via_suspicious_binary.toml +++ b/rules/linux/execution_shell_via_suspicious_binary.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -139,6 +139,11 @@ id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml index c8be644cd..600e8165d 100644 --- a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml +++ b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -129,6 +129,11 @@ id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml index 35f575a8b..4f6e3d357 100644 --- a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml +++ b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/04" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -137,6 +137,16 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.011" +name = "Lua" +reference = "https://attack.mitre.org/techniques/T1059/011/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -150,6 +160,11 @@ id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml index 19461e6ab..b40f0b001 100644 --- a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml +++ b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/26" integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -132,6 +132,11 @@ id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.015" +name = "Compression" +reference = "https://attack.mitre.org/techniques/T1027/015/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" diff --git a/rules/linux/execution_suspicious_executable_running_system_commands.toml b/rules/linux/execution_suspicious_executable_running_system_commands.toml index 880ff976e..6bdc18fb3 100644 --- a/rules/linux/execution_suspicious_executable_running_system_commands.toml +++ b/rules/linux/execution_suspicious_executable_running_system_commands.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -135,6 +135,43 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + +[[rule.threat.technique]] +id = "T1049" +name = "System Network Connections Discovery" +reference = "https://attack.mitre.org/techniques/T1049/" + +[[rule.threat.technique]] +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["process.parent.name"] diff --git a/rules/linux/execution_suspicious_mining_process_creation_events.toml b/rules/linux/execution_suspicious_mining_process_creation_events.toml index 30a5f83b4..a1e246c63 100644 --- a/rules/linux/execution_suspicious_mining_process_creation_events.toml +++ b/rules/linux/execution_suspicious_mining_process_creation_events.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/08" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -120,3 +120,34 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1496" +name = "Resource Hijacking" +reference = "https://attack.mitre.org/techniques/T1496/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.002" +name = "Systemd Service" +reference = "https://attack.mitre.org/techniques/T1543/002/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml b/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml index a35ae4ec7..6438bae79 100644 --- a/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml +++ b/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/01" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/08" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,6 +108,11 @@ id = "T1609" name = "Container Administration Command" reference = "https://attack.mitre.org/techniques/T1609/" +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -116,6 +121,26 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + [[rule.threat.technique]] id = "T1611" name = "Escape to Host" @@ -129,6 +154,16 @@ reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique.subtechnique]] +id = "T1037.004" +name = "RC Scripts" +reference = "https://attack.mitre.org/techniques/T1037/004/" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" @@ -144,6 +179,46 @@ id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.004" +name = "SSH Authorized Keys" +reference = "https://attack.mitre.org/techniques/T1098/004/" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.004" +name = "Unix Shell Configuration Modification" +reference = "https://attack.mitre.org/techniques/T1546/004/" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.013" +name = "XDG Autostart Entries" +reference = "https://attack.mitre.org/techniques/T1547/013/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/execution_system_binary_file_permission_change.toml b/rules/linux/execution_system_binary_file_permission_change.toml index c9804ea27..f288223ac 100644 --- a/rules/linux/execution_system_binary_file_permission_change.toml +++ b/rules/linux/execution_system_binary_file_permission_change.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,3 +125,39 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1222" +name = "File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/" + +[[rule.threat.technique.subtechnique]] +id = "T1222.002" +name = "Linux and Mac File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/execution_tc_bpf_filter.toml b/rules/linux/execution_tc_bpf_filter.toml index 52cc47e2b..f71d3a531 100644 --- a/rules/linux/execution_tc_bpf_filter.toml +++ b/rules/linux/execution_tc_bpf_filter.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/11" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -129,3 +129,21 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml b/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml index 6c81fd12c..4db0ac23c 100644 --- a/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml +++ b/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/13" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -109,11 +109,28 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique]] +id = "T1106" +name = "Native API" +reference = "https://attack.mitre.org/techniques/T1106/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1620" +name = "Reflective Code Loading" +reference = "https://attack.mitre.org/techniques/T1620/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["process.name"] diff --git a/rules/linux/execution_unusual_kthreadd_execution.toml b/rules/linux/execution_unusual_kthreadd_execution.toml index fb453b1a8..cfcd4c91f 100644 --- a/rules/linux/execution_unusual_kthreadd_execution.toml +++ b/rules/linux/execution_unusual_kthreadd_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/10/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -117,21 +117,43 @@ process.command_line:( [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.009" +name = "Break Process Trees" +reference = "https://attack.mitre.org/techniques/T1036/009/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["process.name", "host.id"] diff --git a/rules/linux/execution_unusual_path_invocation_from_command_line.toml b/rules/linux/execution_unusual_path_invocation_from_command_line.toml index 7c4599b99..254cf9a39 100644 --- a/rules/linux/execution_unusual_path_invocation_from_command_line.toml +++ b/rules/linux/execution_unusual_path_invocation_from_command_line.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -135,11 +135,20 @@ id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.007" +name = "Path Interception by PATH Environment Variable" +reference = "https://attack.mitre.org/techniques/T1574/007/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.new_terms] field = "new_terms_fields" value = ["process.parent.name"] diff --git a/rules/linux/execution_unusual_pkexec_execution.toml b/rules/linux/execution_unusual_pkexec_execution.toml index 0b613bb5b..fb8c1cd58 100644 --- a/rules/linux/execution_unusual_pkexec_execution.toml +++ b/rules/linux/execution_unusual_pkexec_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -129,6 +129,11 @@ id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -147,6 +152,23 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["process.parent.command_line"] diff --git a/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml b/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml index 89aa348f4..091686f30 100644 --- a/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml +++ b/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -124,6 +124,11 @@ process where host.os.type == "linux" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1030" +name = "Data Transfer Size Limits" +reference = "https://attack.mitre.org/techniques/T1030/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" diff --git a/rules/linux/exfiltration_potential_database_dumping.toml b/rules/linux/exfiltration_potential_database_dumping.toml index 6f0069282..579db8edb 100644 --- a/rules/linux/exfiltration_potential_database_dumping.toml +++ b/rules/linux/exfiltration_potential_database_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/13" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,12 +104,30 @@ process.name in ("pg_dump", "pg_dumpall", "mysqldump", "mariadb-dump", "mongodum [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Exfiltration" - id = "TA0010" - reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" - [[rule.threat.technique]] - name = "Exfiltration Over Alternative Protocol" - id = "T1048" - reference = "https://attack.mitre.org/techniques/T1048/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1119" +name = "Automated Collection" +reference = "https://attack.mitre.org/techniques/T1119/" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/linux/exfiltration_potential_wget_data_exfiltration.toml b/rules/linux/exfiltration_potential_wget_data_exfiltration.toml index e0f16b191..30d03cd78 100644 --- a/rules/linux/exfiltration_potential_wget_data_exfiltration.toml +++ b/rules/linux/exfiltration_potential_wget_data_exfiltration.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/07" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2026/03/13" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,12 +122,25 @@ process.name == "wget" and ?process.parent.executable != null and ( [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Exfiltration" - id = "TA0010" - reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" - [[rule.threat.technique]] - name = "Exfiltration Over Alternative Protocol" - id = "T1048" - reference = "https://attack.mitre.org/techniques/T1048/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml b/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml index f6d821c47..51dce3af6 100644 --- a/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml +++ b/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -171,6 +171,11 @@ from logs-endpoint.events.process-* metadata _id, _index, _version [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" @@ -179,6 +184,16 @@ reference = "https://attack.mitre.org/tactics/TA0010/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/linux/impact_data_encrypted_via_openssl.toml b/rules/linux/impact_data_encrypted_via_openssl.toml index d5ae1fbcb..f7bf7c915 100644 --- a/rules/linux/impact_data_encrypted_via_openssl.toml +++ b/rules/linux/impact_data_encrypted_via_openssl.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -115,3 +115,16 @@ reference = "https://attack.mitre.org/techniques/T1486/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/impact_memory_swap_modification.toml b/rules/linux/impact_memory_swap_modification.toml index 2336a3983..c1231cd49 100644 --- a/rules/linux/impact_memory_swap_modification.toml +++ b/rules/linux/impact_memory_swap_modification.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -121,6 +121,11 @@ id = "T1496" name = "Resource Hijacking" reference = "https://attack.mitre.org/techniques/T1496/" +[[rule.threat.technique.subtechnique]] +id = "T1496.001" +name = "Compute Hijacking" +reference = "https://attack.mitre.org/techniques/T1496/001/" + [rule.threat.tactic] id = "TA0040" name = "Impact" diff --git a/rules/linux/impact_potential_bruteforce_malware_infection.toml b/rules/linux/impact_potential_bruteforce_malware_infection.toml index 93c5361d3..5ce3b6d80 100644 --- a/rules/linux/impact_potential_bruteforce_malware_infection.toml +++ b/rules/linux/impact_potential_bruteforce_malware_infection.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/20" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -205,3 +205,16 @@ reference = "https://attack.mitre.org/techniques/T1071/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/impact_process_kill_threshold.toml b/rules/linux/impact_process_kill_threshold.toml index 85ce3461a..a1f4454d1 100644 --- a/rules/linux/impact_process_kill_threshold.toml +++ b/rules/linux/impact_process_kill_threshold.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/27" integration = ["endpoint", "auditd_manager", "crowdstrike"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,6 +107,23 @@ id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.threshold] field = ["host.id", "process.executable", "user.name"] value = 15 diff --git a/rules/linux/initial_access_apache_struts_cve_2023_50164_exploitation_to_webshell.toml b/rules/linux/initial_access_apache_struts_cve_2023_50164_exploitation_to_webshell.toml index 45f5c1a91..89e8ba1f7 100644 --- a/rules/linux/initial_access_apache_struts_cve_2023_50164_exploitation_to_webshell.toml +++ b/rules/linux/initial_access_apache_struts_cve_2023_50164_exploitation_to_webshell.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/19" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/11/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -114,31 +114,44 @@ sequence by agent.id with maxspan=10s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" + [[rule.threat.technique.subtechnique]] id = "T1505.003" name = "Web Shell" reference = "https://attack.mitre.org/techniques/T1505/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/initial_access_first_time_public_key_authentication.toml b/rules/linux/initial_access_first_time_public_key_authentication.toml index 1e74cf2cb..4e1a8689f 100644 --- a/rules/linux/initial_access_first_time_public_key_authentication.toml +++ b/rules/linux/initial_access_first_time_public_key_authentication.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["system"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,16 +99,38 @@ event.category:authentication and host.os.type:linux and event.action:ssh_login [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" [rule.new_terms] field = "new_terms_fields" value = ["system.auth.ssh.signature"] diff --git a/rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml b/rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml index d1e0215d4..f571a929d 100644 --- a/rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml +++ b/rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["system"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,16 +92,33 @@ event.category:authentication and host.os.type:linux and event.action:ssh_login [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" [rule.new_terms] field = "new_terms_fields" value = ["related.ip"] diff --git a/rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml b/rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml index ffc5417fe..098cdd425 100644 --- a/rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml +++ b/rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["system"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -76,16 +76,38 @@ event.category:authentication and host.os.type:linux and event.action:ssh_login [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" [rule.new_terms] field = "new_terms_fields" value = ["related.user"] diff --git a/rules/linux/initial_access_telnet_auth_bypass_envar_auditd.toml b/rules/linux/initial_access_telnet_auth_bypass_envar_auditd.toml index 3ebcdec8c..6d17eb3c5 100644 --- a/rules/linux/initial_access_telnet_auth_bypass_envar_auditd.toml +++ b/rules/linux/initial_access_telnet_auth_bypass_envar_auditd.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/26" integration = ["auditd_manager"] maturity = "production" -updated_date = "2026/02/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -93,26 +93,39 @@ sequence by host.id with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/initial_access_telnet_auth_bypass_via_user_envar.toml b/rules/linux/initial_access_telnet_auth_bypass_via_user_envar.toml index 159ac1545..b0118148c 100644 --- a/rules/linux/initial_access_telnet_auth_bypass_via_user_envar.toml +++ b/rules/linux/initial_access_telnet_auth_bypass_via_user_envar.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/24" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/02/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,26 +101,39 @@ process where host.os.type == "linux" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/lateral_movement_kubeconfig_file_activity.toml b/rules/linux/lateral_movement_kubeconfig_file_activity.toml index 742506ac7..14e0cd4c8 100644 --- a/rules/linux/lateral_movement_kubeconfig_file_activity.toml +++ b/rules/linux/lateral_movement_kubeconfig_file_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -151,12 +151,30 @@ reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml b/rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml index c4ec5a4e3..2cf39df00 100644 --- a/rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml +++ b/rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/20" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -132,6 +132,18 @@ id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable", "host.id"] diff --git a/rules/linux/lateral_movement_ssh_it_worm_download.toml b/rules/linux/lateral_movement_ssh_it_worm_download.toml index d7738588c..f2ca0a106 100644 --- a/rules/linux/lateral_movement_ssh_it_worm_download.toml +++ b/rules/linux/lateral_movement_ssh_it_worm_download.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/21" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -135,3 +135,16 @@ reference = "https://attack.mitre.org/techniques/T1563/001/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml index 40cf153f8..691a01df0 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_external.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_external.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -133,3 +133,16 @@ reference = "https://attack.mitre.org/techniques/T1021/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/lateral_movement_unusual_remote_file_creation.toml b/rules/linux/lateral_movement_unusual_remote_file_creation.toml index 828592b0b..12d810eed 100644 --- a/rules/linux/lateral_movement_unusual_remote_file_creation.toml +++ b/rules/linux/lateral_movement_unusual_remote_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/20" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -140,6 +140,18 @@ id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable", "host.id"] diff --git a/rules/linux/persistence_apt_package_manager_execution.toml b/rules/linux/persistence_apt_package_manager_execution.toml index 121bf3507..4d1af0856 100644 --- a/rules/linux/persistence_apt_package_manager_execution.toml +++ b/rules/linux/persistence_apt_package_manager_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -174,6 +174,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/linux/persistence_apt_package_manager_file_creation.toml b/rules/linux/persistence_apt_package_manager_file_creation.toml index 6fa37d13b..b7166410e 100644 --- a/rules/linux/persistence_apt_package_manager_file_creation.toml +++ b/rules/linux/persistence_apt_package_manager_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/03" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -175,3 +175,21 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.016" +name = "Installer Packages" +reference = "https://attack.mitre.org/techniques/T1546/016/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_apt_package_manager_netcon.toml b/rules/linux/persistence_apt_package_manager_netcon.toml index 7e83bb830..b0287a102 100644 --- a/rules/linux/persistence_apt_package_manager_netcon.toml +++ b/rules/linux/persistence_apt_package_manager_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -156,3 +156,21 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/persistence_bpf_program_or_map_load.toml b/rules/linux/persistence_bpf_program_or_map_load.toml index af4757fbc..4255fc6e0 100644 --- a/rules/linux/persistence_bpf_program_or_map_load.toml +++ b/rules/linux/persistence_bpf_program_or_map_load.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/20" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -118,3 +118,21 @@ reference = "https://attack.mitre.org/techniques/T1014/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_chkconfig_service_add.toml b/rules/linux/persistence_chkconfig_service_add.toml index 554ad767f..a93f65fa8 100644 --- a/rules/linux/persistence_chkconfig_service_add.toml +++ b/rules/linux/persistence_chkconfig_service_add.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/22" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -196,6 +196,11 @@ id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml index 523302ed1..7ecaaef7e 100644 --- a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml +++ b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -187,6 +187,11 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1554" +name = "Compromise Host Software Binary" +reference = "https://attack.mitre.org/techniques/T1554/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_dbus_service_creation.toml b/rules/linux/persistence_dbus_service_creation.toml index 386571da5..379cc6b7a 100644 --- a/rules/linux/persistence_dbus_service_creation.toml +++ b/rules/linux/persistence_dbus_service_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -138,6 +138,11 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -151,6 +156,11 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml b/rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml index 6d9c71de0..9d97b4d31 100644 --- a/rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml +++ b/rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/21" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -158,6 +158,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique]] +id = "T1559" +name = "Inter-Process Communication" +reference = "https://attack.mitre.org/techniques/T1559/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml b/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml index 10ca2105f..ded6346ea 100644 --- a/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml +++ b/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/25" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -157,7 +157,35 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.016" +name = "Installer Packages" +reference = "https://attack.mitre.org/techniques/T1546/016/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml b/rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml index 595ab2d54..c82730e95 100644 --- a/rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml +++ b/rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -141,6 +141,23 @@ id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.016" +name = "Installer Packages" +reference = "https://attack.mitre.org/techniques/T1546/016/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["process.parent.executable"] diff --git a/rules/linux/persistence_dpkg_unusual_execution.toml b/rules/linux/persistence_dpkg_unusual_execution.toml index 73a6322b9..3ec87f425 100644 --- a/rules/linux/persistence_dpkg_unusual_execution.toml +++ b/rules/linux/persistence_dpkg_unusual_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,6 +102,11 @@ process.group_leader.name != null and not ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" @@ -112,11 +117,6 @@ id = "T1546.016" name = "Installer Packages" reference = "https://attack.mitre.org/techniques/T1546/016/" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" @@ -141,6 +141,24 @@ name = "Compromise Software Supply Chain" reference = "https://attack.mitre.org/techniques/T1195/002/" [rule.threat.tactic] -name = "Initial Access" id = "TA0001" +name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.016" +name = "Installer Packages" +reference = "https://attack.mitre.org/techniques/T1546/016/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_dracut_module_creation.toml b/rules/linux/persistence_dracut_module_creation.toml index 9427236d5..0df18519e 100644 --- a/rules/linux/persistence_dracut_module_creation.toml +++ b/rules/linux/persistence_dracut_module_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -164,6 +164,11 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1542" +name = "Pre-OS Boot" +reference = "https://attack.mitre.org/techniques/T1542/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/persistence_dynamic_linker_backup.toml b/rules/linux/persistence_dynamic_linker_backup.toml index 2dcef6e4f..428803c32 100644 --- a/rules/linux/persistence_dynamic_linker_backup.toml +++ b/rules/linux/persistence_dynamic_linker_backup.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/12" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/17" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -192,3 +192,21 @@ reference = "https://attack.mitre.org/techniques/T1574/006/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_git_hook_execution.toml b/rules/linux/persistence_git_hook_execution.toml index 55473220b..78539f29f 100644 --- a/rules/linux/persistence_git_hook_execution.toml +++ b/rules/linux/persistence_git_hook_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/15" integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -114,6 +114,11 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" diff --git a/rules/linux/persistence_git_hook_file_creation.toml b/rules/linux/persistence_git_hook_file_creation.toml index c5b9d78a1..b7455b0cb 100644 --- a/rules/linux/persistence_git_hook_file_creation.toml +++ b/rules/linux/persistence_git_hook_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/26" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -129,6 +129,11 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" diff --git a/rules/linux/persistence_git_hook_netcon.toml b/rules/linux/persistence_git_hook_netcon.toml index 3c79ca6de..358537f72 100644 --- a/rules/linux/persistence_git_hook_netcon.toml +++ b/rules/linux/persistence_git_hook_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/15" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -123,6 +123,11 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" @@ -158,3 +163,16 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/persistence_git_hook_process_execution.toml b/rules/linux/persistence_git_hook_process_execution.toml index 2203dc37a..3cb9ae208 100644 --- a/rules/linux/persistence_git_hook_process_execution.toml +++ b/rules/linux/persistence_git_hook_process_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/26" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -132,6 +132,11 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" diff --git a/rules/linux/persistence_grub_configuration_creation.toml b/rules/linux/persistence_grub_configuration_creation.toml index d3c5b78af..f874a2566 100644 --- a/rules/linux/persistence_grub_configuration_creation.toml +++ b/rules/linux/persistence_grub_configuration_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -143,3 +143,16 @@ reference = "https://attack.mitre.org/techniques/T1574/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1542" +name = "Pre-OS Boot" +reference = "https://attack.mitre.org/techniques/T1542/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_grub_makeconfig.toml b/rules/linux/persistence_grub_makeconfig.toml index dc7576275..89ea6d207 100644 --- a/rules/linux/persistence_grub_makeconfig.toml +++ b/rules/linux/persistence_grub_makeconfig.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -133,3 +133,16 @@ reference = "https://attack.mitre.org/techniques/T1574/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1542" +name = "Pre-OS Boot" +reference = "https://attack.mitre.org/techniques/T1542/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_init_d_file_creation.toml b/rules/linux/persistence_init_d_file_creation.toml index b4d7276cf..22fd48822 100644 --- a/rules/linux/persistence_init_d_file_creation.toml +++ b/rules/linux/persistence_init_d_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/21" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -192,7 +192,30 @@ id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" +[[rule.threat.technique.subtechnique]] +id = "T1037.004" +name = "RC Scripts" +reference = "https://attack.mitre.org/techniques/T1037/004/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique.subtechnique]] +id = "T1037.004" +name = "RC Scripts" +reference = "https://attack.mitre.org/techniques/T1037/004/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml index 58550c3b5..b36a4b766 100644 --- a/rules/linux/persistence_kde_autostart_modification.toml +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/06" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -243,6 +243,11 @@ id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" +[[rule.threat.technique.subtechnique]] +id = "T1547.013" +name = "XDG Autostart Entries" +reference = "https://attack.mitre.org/techniques/T1547/013/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_kernel_driver_load.toml b/rules/linux/persistence_kernel_driver_load.toml index 0f7b646be..88fc5919f 100644 --- a/rules/linux/persistence_kernel_driver_load.toml +++ b/rules/linux/persistence_kernel_driver_load.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -96,31 +96,49 @@ Kernel modules extend the functionality of the Linux kernel, allowing dynamic lo [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1014" name = "Rootkit" reference = "https://attack.mitre.org/techniques/T1014/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_kernel_driver_load_by_non_root.toml b/rules/linux/persistence_kernel_driver_load_by_non_root.toml index 9f4a83039..53ddd9647 100644 --- a/rules/linux/persistence_kernel_driver_load_by_non_root.toml +++ b/rules/linux/persistence_kernel_driver_load_by_non_root.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/10" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -128,3 +128,21 @@ reference = "https://attack.mitre.org/techniques/T1014/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_kernel_module_load_from_unusual_location.toml b/rules/linux/persistence_kernel_module_load_from_unusual_location.toml index 6a3833831..ad22b980a 100644 --- a/rules/linux/persistence_kernel_module_load_from_unusual_location.toml +++ b/rules/linux/persistence_kernel_module_load_from_unusual_location.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/20" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/13" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -145,3 +145,21 @@ reference = "https://attack.mitre.org/techniques/T1014/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_kernel_object_file_creation.toml b/rules/linux/persistence_kernel_object_file_creation.toml index e5b8aede5..23f758061 100644 --- a/rules/linux/persistence_kernel_object_file_creation.toml +++ b/rules/linux/persistence_kernel_object_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/19" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -138,6 +138,23 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["process.name", "file.name"] diff --git a/rules/linux/persistence_kubernetes_sensitive_file_activity.toml b/rules/linux/persistence_kubernetes_sensitive_file_activity.toml index 59a33614a..a5c2e7e96 100644 --- a/rules/linux/persistence_kubernetes_sensitive_file_activity.toml +++ b/rules/linux/persistence_kubernetes_sensitive_file_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -111,16 +111,6 @@ file where host.os.type == "linux" and event.type != "deletion" and file.path li [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[[rule.threat.technique.subtechnique]] -id = "T1543.005" -name = "Container Service" -reference = "https://attack.mitre.org/techniques/T1543/005/" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" @@ -131,7 +121,48 @@ id = "T1053.007" name = "Container Orchestration Job" reference = "https://attack.mitre.org/techniques/T1053/007/" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.005" +name = "Container Service" +reference = "https://attack.mitre.org/techniques/T1543/005/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.005" +name = "Container Service" +reference = "https://attack.mitre.org/techniques/T1543/005/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_kworker_file_creation.toml b/rules/linux/persistence_kworker_file_creation.toml index 428a388aa..3d1b0170e 100644 --- a/rules/linux/persistence_kworker_file_creation.toml +++ b/rules/linux/persistence_kworker_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -199,6 +199,16 @@ id = "T1014" name = "Rootkit" reference = "https://attack.mitre.org/techniques/T1014/" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/persistence_linux_backdoor_user_creation.toml b/rules/linux/persistence_linux_backdoor_user_creation.toml index fde1a2aa6..b1e668e61 100644 --- a/rules/linux/persistence_linux_backdoor_user_creation.toml +++ b/rules/linux/persistence_linux_backdoor_user_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/07" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -146,6 +146,11 @@ process.args in ("-o", "--non-unique") [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique]] id = "T1136" name = "Create Account" @@ -160,3 +165,16 @@ reference = "https://attack.mitre.org/techniques/T1136/001/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_linux_group_creation.toml b/rules/linux/persistence_linux_group_creation.toml index 1a5ec5236..fc60a9285 100644 --- a/rules/linux/persistence_linux_group_creation.toml +++ b/rules/linux/persistence_linux_group_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/13" integration = ["system"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -119,6 +119,16 @@ iam where host.os.type == "linux" and event.type == "group" and event.type == "c [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" + [[rule.threat.technique]] id = "T1136" name = "Create Account" diff --git a/rules/linux/persistence_linux_shell_activity_via_web_server.toml b/rules/linux/persistence_linux_shell_activity_via_web_server.toml index e3267bc31..31e0f60e1 100644 --- a/rules/linux/persistence_linux_shell_activity_via_web_server.toml +++ b/rules/linux/persistence_linux_shell_activity_via_web_server.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/04" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -206,3 +206,16 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/persistence_linux_user_added_to_privileged_group.toml b/rules/linux/persistence_linux_user_added_to_privileged_group.toml index 10ff2785c..f171e2760 100644 --- a/rules/linux/persistence_linux_user_added_to_privileged_group.toml +++ b/rules/linux/persistence_linux_user_added_to_privileged_group.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/13" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -143,6 +143,16 @@ process.executable != null and process.args in ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" + [[rule.threat.technique]] id = "T1136" name = "Create Account" @@ -157,3 +167,21 @@ reference = "https://attack.mitre.org/techniques/T1136/001/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_manual_dracut_execution.toml b/rules/linux/persistence_manual_dracut_execution.toml index 0afee6bda..a12b34a2e 100644 --- a/rules/linux/persistence_manual_dracut_execution.toml +++ b/rules/linux/persistence_manual_dracut_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -143,3 +143,16 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1542" +name = "Pre-OS Boot" +reference = "https://attack.mitre.org/techniques/T1542/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_message_of_the_day_creation.toml b/rules/linux/persistence_message_of_the_day_creation.toml index 32d08cc31..dc73a9eff 100644 --- a/rules/linux/persistence_message_of_the_day_creation.toml +++ b/rules/linux/persistence_message_of_the_day_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -183,3 +183,16 @@ reference = "https://attack.mitre.org/techniques/T1037/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_message_of_the_day_execution.toml b/rules/linux/persistence_message_of_the_day_execution.toml index 4e5c181f2..2d176a1d6 100644 --- a/rules/linux/persistence_message_of_the_day_execution.toml +++ b/rules/linux/persistence_message_of_the_day_execution.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/28" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -209,3 +209,44 @@ reference = "https://attack.mitre.org/techniques/T1037/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.011" +name = "Lua" +reference = "https://attack.mitre.org/techniques/T1059/011/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_network_manager_dispatcher_persistence.toml b/rules/linux/persistence_network_manager_dispatcher_persistence.toml index 089f1d5d1..55a144cda 100644 --- a/rules/linux/persistence_network_manager_dispatcher_persistence.toml +++ b/rules/linux/persistence_network_manager_dispatcher_persistence.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -130,6 +130,11 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" diff --git a/rules/linux/persistence_openssl_passwd_hash_generation.toml b/rules/linux/persistence_openssl_passwd_hash_generation.toml index dc7660861..df8087508 100644 --- a/rules/linux/persistence_openssl_passwd_hash_generation.toml +++ b/rules/linux/persistence_openssl_passwd_hash_generation.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -111,6 +111,11 @@ not process.args in ("-help", "--help", "-h") [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique]] id = "T1136" name = "Create Account" diff --git a/rules/linux/persistence_pluggable_authentication_module_creation.toml b/rules/linux/persistence_pluggable_authentication_module_creation.toml index a5bebae77..8de1e6271 100644 --- a/rules/linux/persistence_pluggable_authentication_module_creation.toml +++ b/rules/linux/persistence_pluggable_authentication_module_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/06" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -123,6 +123,16 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.003" +name = "Pluggable Authentication Modules" +reference = "https://attack.mitre.org/techniques/T1556/003/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -136,6 +146,11 @@ id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.003" +name = "Pluggable Authentication Modules" +reference = "https://attack.mitre.org/techniques/T1556/003/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml b/rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml index 2505889dd..2323b6fef 100644 --- a/rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml +++ b/rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,6 +105,16 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.003" +name = "Pluggable Authentication Modules" +reference = "https://attack.mitre.org/techniques/T1556/003/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -118,6 +128,11 @@ id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.003" +name = "Pluggable Authentication Modules" +reference = "https://attack.mitre.org/techniques/T1556/003/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml b/rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml index 57331335b..381f170f4 100644 --- a/rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml +++ b/rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/29" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,6 +110,16 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.003" +name = "Pluggable Authentication Modules" +reference = "https://attack.mitre.org/techniques/T1556/003/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -127,3 +137,16 @@ reference = "https://attack.mitre.org/techniques/T1556/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/persistence_pluggable_authentication_module_source_download.toml b/rules/linux/persistence_pluggable_authentication_module_source_download.toml index 458326e40..aad0bc8bc 100644 --- a/rules/linux/persistence_pluggable_authentication_module_source_download.toml +++ b/rules/linux/persistence_pluggable_authentication_module_source_download.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,7 +102,25 @@ id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.003" +name = "Pluggable Authentication Modules" +reference = "https://attack.mitre.org/techniques/T1556/003/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/persistence_polkit_policy_creation.toml b/rules/linux/persistence_polkit_policy_creation.toml index 0735fde6c..a80b58af3 100644 --- a/rules/linux/persistence_polkit_policy_creation.toml +++ b/rules/linux/persistence_polkit_policy_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -114,6 +114,11 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -131,3 +136,16 @@ reference = "https://attack.mitre.org/techniques/T1556/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml b/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml index ada832ab5..f8a376964 100644 --- a/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml +++ b/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/03" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -145,6 +145,16 @@ id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.017" +name = "Udev Rules" +reference = "https://attack.mitre.org/techniques/T1546/017/" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" @@ -159,3 +169,21 @@ reference = "https://attack.mitre.org/techniques/T1547/013/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1222" +name = "File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/" + +[[rule.threat.technique.subtechnique]] +id = "T1222.002" +name = "Linux and Mac File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_process_capability_set_via_setcap.toml b/rules/linux/persistence_process_capability_set_via_setcap.toml index 412be5983..1f659ab84 100644 --- a/rules/linux/persistence_process_capability_set_via_setcap.toml +++ b/rules/linux/persistence_process_capability_set_via_setcap.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/03" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -118,7 +118,25 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_pth_file_creation.toml b/rules/linux/persistence_pth_file_creation.toml index 24520fbaf..cdb8c8701 100644 --- a/rules/linux/persistence_pth_file_creation.toml +++ b/rules/linux/persistence_pth_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/26" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/03/30" [rule] author = ["Elastic"] @@ -160,6 +160,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -172,3 +177,21 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.018" +name = "Python Startup Hooks" +reference = "https://attack.mitre.org/techniques/T1546/018/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_rc_local_error_via_syslog.toml b/rules/linux/persistence_rc_local_error_via_syslog.toml index 22cdd76e5..a40049fd6 100644 --- a/rules/linux/persistence_rc_local_error_via_syslog.toml +++ b/rules/linux/persistence_rc_local_error_via_syslog.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/21" integration = ["system"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -112,3 +112,21 @@ reference = "https://attack.mitre.org/techniques/T1037/004/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique.subtechnique]] +id = "T1037.004" +name = "RC Scripts" +reference = "https://attack.mitre.org/techniques/T1037/004/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_rc_local_service_already_running.toml b/rules/linux/persistence_rc_local_service_already_running.toml index c1a07ece7..3b6c833d8 100644 --- a/rules/linux/persistence_rc_local_service_already_running.toml +++ b/rules/linux/persistence_rc_local_service_already_running.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -119,3 +119,21 @@ reference = "https://attack.mitre.org/techniques/T1037/004/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique.subtechnique]] +id = "T1037.004" +name = "RC Scripts" +reference = "https://attack.mitre.org/techniques/T1037/004/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_rc_script_creation.toml b/rules/linux/persistence_rc_script_creation.toml index 1ae06027c..a86251828 100644 --- a/rules/linux/persistence_rc_script_creation.toml +++ b/rules/linux/persistence_rc_script_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -183,3 +183,21 @@ reference = "https://attack.mitre.org/techniques/T1037/004/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique.subtechnique]] +id = "T1037.004" +name = "RC Scripts" +reference = "https://attack.mitre.org/techniques/T1037/004/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_setuid_setgid_capability_set.toml b/rules/linux/persistence_setuid_setgid_capability_set.toml index 7dccbc4c3..253e96e34 100644 --- a/rules/linux/persistence_setuid_setgid_capability_set.toml +++ b/rules/linux/persistence_setuid_setgid_capability_set.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/05" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -182,3 +182,21 @@ reference = "https://attack.mitre.org/techniques/T1548/001/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_shadow_file_modification.toml b/rules/linux/persistence_shadow_file_modification.toml index 61af8e00f..e488d7b6b 100644 --- a/rules/linux/persistence_shadow_file_modification.toml +++ b/rules/linux/persistence_shadow_file_modification.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -116,6 +116,16 @@ id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique]] +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" + +[[rule.threat.technique.subtechnique]] +id = "T1136.001" +name = "Local Account" +reference = "https://attack.mitre.org/techniques/T1136/001/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_shared_object_creation.toml b/rules/linux/persistence_shared_object_creation.toml index da1bfc939..372e352f5 100644 --- a/rules/linux/persistence_shared_object_creation.toml +++ b/rules/linux/persistence_shared_object_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -205,6 +205,41 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["file.name", "process.name"] diff --git a/rules/linux/persistence_shell_configuration_modification.toml b/rules/linux/persistence_shell_configuration_modification.toml index 4fe836551..36feba16b 100644 --- a/rules/linux/persistence_shell_configuration_modification.toml +++ b/rules/linux/persistence_shell_configuration_modification.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/30" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -152,3 +152,21 @@ reference = "https://attack.mitre.org/techniques/T1546/004/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.004" +name = "Unix Shell Configuration Modification" +reference = "https://attack.mitre.org/techniques/T1546/004/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_simple_web_server_connection_accepted.toml b/rules/linux/persistence_simple_web_server_connection_accepted.toml index 11e4f177d..9594bb68d 100644 --- a/rules/linux/persistence_simple_web_server_connection_accepted.toml +++ b/rules/linux/persistence_simple_web_server_connection_accepted.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/17" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,48 +106,58 @@ sequence by process.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Persistence" - id = "TA0003" - reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" - [[rule.threat.technique]] - id = "T1505" - name = "Server Software Component" - reference = "https://attack.mitre.org/techniques/T1505/" +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" - [[rule.threat.technique.subtechnique]] - id = "T1505.003" - name = "Web Shell" - reference = "https://attack.mitre.org/techniques/T1505/003/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" - [[rule.threat.technique]] - name = "Application Layer Protocol" - id = "T1071" - reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/persistence_simple_web_server_creation.toml b/rules/linux/persistence_simple_web_server_creation.toml index a36dadf7d..2f6fa07ac 100644 --- a/rules/linux/persistence_simple_web_server_creation.toml +++ b/rules/linux/persistence_simple_web_server_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/17" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -141,6 +141,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -154,6 +159,11 @@ id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/persistence_site_and_user_customize_file_creation.toml b/rules/linux/persistence_site_and_user_customize_file_creation.toml index 90139b404..ff3ec2fe5 100644 --- a/rules/linux/persistence_site_and_user_customize_file_creation.toml +++ b/rules/linux/persistence_site_and_user_customize_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/26" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/03/30" [rule] author = ["Elastic"] @@ -148,6 +148,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -160,3 +165,21 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.018" +name = "Python Startup Hooks" +reference = "https://attack.mitre.org/techniques/T1546/018/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_ssh_netcon.toml b/rules/linux/persistence_ssh_netcon.toml index bde9a2bb7..2edd7f195 100644 --- a/rules/linux/persistence_ssh_netcon.toml +++ b/rules/linux/persistence_ssh_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/06" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -146,6 +146,11 @@ reference = "https://attack.mitre.org/tactics/TA0008/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/persistence_ssh_via_backdoored_system_user.toml b/rules/linux/persistence_ssh_via_backdoored_system_user.toml index cf09a4556..fae10f1ce 100644 --- a/rules/linux/persistence_ssh_via_backdoored_system_user.toml +++ b/rules/linux/persistence_ssh_via_backdoored_system_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["system"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,6 +101,16 @@ user.name:( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.003" +name = "Local Accounts" +reference = "https://attack.mitre.org/techniques/T1078/003/" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" @@ -119,11 +129,6 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Defense Evasion" -id = "TA0005" -reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" @@ -134,6 +139,28 @@ id = "T1564.002" name = "Hidden Users" reference = "https://attack.mitre.org/techniques/T1564/002/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.003" +name = "Local Accounts" +reference = "https://attack.mitre.org/techniques/T1078/003/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["user.name", "host.id"] diff --git a/rules/linux/persistence_suspicious_file_opened_through_editor.toml b/rules/linux/persistence_suspicious_file_opened_through_editor.toml index a3db7c8cb..c78e14b4c 100644 --- a/rules/linux/persistence_suspicious_file_opened_through_editor.toml +++ b/rules/linux/persistence_suspicious_file_opened_through_editor.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/25" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -96,56 +96,89 @@ file.path : ( [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" + [[rule.threat.technique.subtechnique]] id = "T1037.004" name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.004" +name = "Unix Shell Configuration Modification" +reference = "https://attack.mitre.org/techniques/T1546/004/" [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + +[[rule.threat.technique.subtechnique]] +id = "T1003.008" +name = "/etc/passwd and /etc/shadow" +reference = "https://attack.mitre.org/techniques/T1003/008/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml b/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml index 793a712a6..39876c5dc 100644 --- a/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml +++ b/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/01" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -142,3 +142,21 @@ reference = "https://attack.mitre.org/techniques/T1563/001/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/persistence_systemd_generator_creation.toml b/rules/linux/persistence_systemd_generator_creation.toml index 1405518b4..c652b183d 100644 --- a/rules/linux/persistence_systemd_generator_creation.toml +++ b/rules/linux/persistence_systemd_generator_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/19" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -138,6 +138,11 @@ id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -156,6 +161,11 @@ id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/linux/persistence_systemd_netcon.toml b/rules/linux/persistence_systemd_netcon.toml index 3d67cd461..1df61713b 100644 --- a/rules/linux/persistence_systemd_netcon.toml +++ b/rules/linux/persistence_systemd_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -171,3 +171,16 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/persistence_systemd_scheduled_timer_created.toml b/rules/linux/persistence_systemd_scheduled_timer_created.toml index 03c70b2ad..ae8ceabfd 100644 --- a/rules/linux/persistence_systemd_scheduled_timer_created.toml +++ b/rules/linux/persistence_systemd_scheduled_timer_created.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/24" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -210,3 +210,21 @@ reference = "https://attack.mitre.org/techniques/T1053/006/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.006" +name = "Systemd Timers" +reference = "https://attack.mitre.org/techniques/T1053/006/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/persistence_systemd_service_started.toml b/rules/linux/persistence_systemd_service_started.toml index 4d7bc9658..8625e7ded 100644 --- a/rules/linux/persistence_systemd_service_started.toml +++ b/rules/linux/persistence_systemd_service_started.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/17" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -233,6 +233,23 @@ id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" + +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["process.parent.executable"] diff --git a/rules/linux/persistence_systemd_shell_execution.toml b/rules/linux/persistence_systemd_shell_execution.toml index 634b59f4e..09970325b 100644 --- a/rules/linux/persistence_systemd_shell_execution.toml +++ b/rules/linux/persistence_systemd_shell_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -130,3 +130,21 @@ reference = "https://attack.mitre.org/techniques/T1543/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/persistence_tainted_kernel_module_load.toml b/rules/linux/persistence_tainted_kernel_module_load.toml index 367963adf..469573741 100644 --- a/rules/linux/persistence_tainted_kernel_module_load.toml +++ b/rules/linux/persistence_tainted_kernel_module_load.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/23" integration = ["system"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -120,3 +120,21 @@ reference = "https://attack.mitre.org/techniques/T1014/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml b/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml index b1e5e9806..da02eaa00 100644 --- a/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml +++ b/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["system"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,3 +122,21 @@ reference = "https://attack.mitre.org/techniques/T1014/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_udev_rule_creation.toml b/rules/linux/persistence_udev_rule_creation.toml index b58e6b0f9..7466666b3 100644 --- a/rules/linux/persistence_udev_rule_creation.toml +++ b/rules/linux/persistence_udev_rule_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -138,7 +138,30 @@ id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.017" +name = "Udev Rules" +reference = "https://attack.mitre.org/techniques/T1546/017/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.017" +name = "Udev Rules" +reference = "https://attack.mitre.org/techniques/T1546/017/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml b/rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml index 6d45ba99f..7fa0e5101 100644 --- a/rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml +++ b/rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -112,6 +112,11 @@ id = "T1542" name = "Pre-OS Boot" reference = "https://attack.mitre.org/techniques/T1542/" +[[rule.threat.technique.subtechnique]] +id = "T1542.003" +name = "Bootkit" +reference = "https://attack.mitre.org/techniques/T1542/003/" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -148,6 +153,16 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1542" +name = "Pre-OS Boot" +reference = "https://attack.mitre.org/techniques/T1542/" + +[[rule.threat.technique.subtechnique]] +id = "T1542.003" +name = "Bootkit" +reference = "https://attack.mitre.org/techniques/T1542/003/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/persistence_unusual_exim4_child_process.toml b/rules/linux/persistence_unusual_exim4_child_process.toml index 1b8046977..f30d00271 100644 --- a/rules/linux/persistence_unusual_exim4_child_process.toml +++ b/rules/linux/persistence_unusual_exim4_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,6 +94,31 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/linux/persistence_unusual_pam_grantor.toml b/rules/linux/persistence_unusual_pam_grantor.toml index 962c7bb3a..d465614ba 100644 --- a/rules/linux/persistence_unusual_pam_grantor.toml +++ b/rules/linux/persistence_unusual_pam_grantor.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/06" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,6 +89,16 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.003" +name = "Pluggable Authentication Modules" +reference = "https://attack.mitre.org/techniques/T1556/003/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -102,11 +112,15 @@ id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.003" +name = "Pluggable Authentication Modules" +reference = "https://attack.mitre.org/techniques/T1556/003/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [rule.new_terms] field = "new_terms_fields" value = ["auditd.data.grantors"] diff --git a/rules/linux/persistence_unusual_sshd_child_process.toml b/rules/linux/persistence_unusual_sshd_child_process.toml index 9acdc41ff..4c250cfc6 100644 --- a/rules/linux/persistence_unusual_sshd_child_process.toml +++ b/rules/linux/persistence_unusual_sshd_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -77,6 +77,11 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" @@ -128,6 +133,18 @@ id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/linux/persistence_user_credential_modification_via_echo.toml b/rules/linux/persistence_user_credential_modification_via_echo.toml index 3ffcadfcb..f41a2cc78 100644 --- a/rules/linux/persistence_user_credential_modification_via_echo.toml +++ b/rules/linux/persistence_user_credential_modification_via_echo.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,3 +110,16 @@ reference = "https://attack.mitre.org/techniques/T1098/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_user_or_group_creation_or_modification.toml b/rules/linux/persistence_user_or_group_creation_or_modification.toml index 989aedbc3..7dd6db382 100644 --- a/rules/linux/persistence_user_or_group_creation_or_modification.toml +++ b/rules/linux/persistence_user_or_group_creation_or_modification.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/20" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,6 +110,11 @@ event.action in ("changed-password", "added-user-account", "added-group-account- [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique]] id = "T1136" name = "Create Account" @@ -124,3 +129,21 @@ reference = "https://attack.mitre.org/techniques/T1136/001/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_web_server_sus_child_spawned.toml b/rules/linux/persistence_web_server_sus_child_spawned.toml index 9bf48a74d..96ac48f1a 100644 --- a/rules/linux/persistence_web_server_sus_child_spawned.toml +++ b/rules/linux/persistence_web_server_sus_child_spawned.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -221,6 +221,21 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.011" +name = "Lua" +reference = "https://attack.mitre.org/techniques/T1059/011/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -238,3 +253,16 @@ reference = "https://attack.mitre.org/techniques/T1071/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/linux/persistence_web_server_sus_command_execution.toml b/rules/linux/persistence_web_server_sus_command_execution.toml index bd1fd7cbd..6306b468f 100644 --- a/rules/linux/persistence_web_server_sus_command_execution.toml +++ b/rules/linux/persistence_web_server_sus_command_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -223,3 +223,16 @@ reference = "https://attack.mitre.org/techniques/T1071/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/linux/persistence_web_server_sus_destination_port.toml b/rules/linux/persistence_web_server_sus_destination_port.toml index 1c274eb2f..72aa174c9 100644 --- a/rules/linux/persistence_web_server_sus_destination_port.toml +++ b/rules/linux/persistence_web_server_sus_destination_port.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -114,11 +114,6 @@ not cidrmatch(destination.ip, "127.0.0.0/8", "::1","FE80::/10", "FF00::/8", "10. [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Persistence" -id = "TA0003" -reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat.technique]] id = "T1505" name = "Server Software Component" @@ -129,14 +124,14 @@ id = "T1505.003" name = "Web Shell" reference = "https://attack.mitre.org/techniques/T1505/003/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -147,15 +142,25 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Command and Control" -id = "TA0011" -reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" [[rule.threat.technique]] -name = "Application Layer Protocol" -id = "T1071" -reference = "https://attack.mitre.org/techniques/T1071/" +id = "T1571" +name = "Non-Standard Port" +reference = "https://attack.mitre.org/techniques/T1571/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/persistence_web_server_unusual_command_execution.toml b/rules/linux/persistence_web_server_unusual_command_execution.toml index e8c298819..cda9c6e04 100644 --- a/rules/linux/persistence_web_server_unusual_command_execution.toml +++ b/rules/linux/persistence_web_server_unusual_command_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -143,6 +143,18 @@ id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["process.command_line"] diff --git a/rules/linux/persistence_xdg_autostart_netcon.toml b/rules/linux/persistence_xdg_autostart_netcon.toml index d51e8ec2e..a7011c3c5 100644 --- a/rules/linux/persistence_xdg_autostart_netcon.toml +++ b/rules/linux/persistence_xdg_autostart_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/03" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -151,3 +151,21 @@ reference = "https://attack.mitre.org/techniques/T1547/013/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml b/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml index cfc4377bf..57be4ef85 100644 --- a/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml +++ b/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/25" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -154,6 +154,11 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml index bfc29e3bb..111a373cf 100644 --- a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml +++ b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/28" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -138,3 +138,21 @@ reference = "https://attack.mitre.org/techniques/T1003/008/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1222" +name = "File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/" + +[[rule.threat.technique.subtechnique]] +id = "T1222.002" +name = "Linux and Mac File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/privilege_escalation_container_util_misconfiguration.toml b/rules/linux/privilege_escalation_container_util_misconfiguration.toml index e7e9e00b5..ea17cb60f 100644 --- a/rules/linux/privilege_escalation_container_util_misconfiguration.toml +++ b/rules/linux/privilege_escalation_container_util_misconfiguration.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/31" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -123,3 +123,16 @@ reference = "https://attack.mitre.org/techniques/T1611/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/privilege_escalation_cve_2025_32463_nsswitch_file_creation.toml b/rules/linux/privilege_escalation_cve_2025_32463_nsswitch_file_creation.toml index 1e3ddd54e..297133b5d 100644 --- a/rules/linux/privilege_escalation_cve_2025_32463_nsswitch_file_creation.toml +++ b/rules/linux/privilege_escalation_cve_2025_32463_nsswitch_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/01" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -119,6 +119,16 @@ id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/linux/privilege_escalation_cve_2025_32463_sudo_chroot_execution.toml b/rules/linux/privilege_escalation_cve_2025_32463_sudo_chroot_execution.toml index cbb17f3d8..173b44030 100644 --- a/rules/linux/privilege_escalation_cve_2025_32463_sudo_chroot_execution.toml +++ b/rules/linux/privilege_escalation_cve_2025_32463_sudo_chroot_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/01" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/10/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -118,7 +118,35 @@ id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/privilege_escalation_cve_2025_41244_vmtoolsd_lpe.toml b/rules/linux/privilege_escalation_cve_2025_41244_vmtoolsd_lpe.toml index b3c53534d..0ad192c73 100644 --- a/rules/linux/privilege_escalation_cve_2025_41244_vmtoolsd_lpe.toml +++ b/rules/linux/privilege_escalation_cve_2025_41244_vmtoolsd_lpe.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/30" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -142,6 +142,16 @@ id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.007" +name = "Path Interception by PATH Environment Variable" +reference = "https://attack.mitre.org/techniques/T1574/007/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/linux/privilege_escalation_dac_permissions.toml b/rules/linux/privilege_escalation_dac_permissions.toml index d6e99458e..485d724da 100644 --- a/rules/linux/privilege_escalation_dac_permissions.toml +++ b/rules/linux/privilege_escalation_dac_permissions.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/08" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -127,6 +127,33 @@ id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + +[[rule.threat.technique.subtechnique]] +id = "T1003.008" +name = "/etc/passwd and /etc/shadow" +reference = "https://attack.mitre.org/techniques/T1003/008/" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.004" +name = "Private Keys" +reference = "https://attack.mitre.org/techniques/T1552/004/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" [rule.new_terms] field = "new_terms_fields" value = ["process.name"] diff --git a/rules/linux/privilege_escalation_debugfs_launched_inside_container.toml b/rules/linux/privilege_escalation_debugfs_launched_inside_container.toml index 94a0637e9..22e78454d 100644 --- a/rules/linux/privilege_escalation_debugfs_launched_inside_container.toml +++ b/rules/linux/privilege_escalation_debugfs_launched_inside_container.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -113,3 +113,16 @@ reference = "https://attack.mitre.org/techniques/T1611/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1006" +name = "Direct Volume Access" +reference = "https://attack.mitre.org/techniques/T1006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/privilege_escalation_docker_release_file_creation.toml b/rules/linux/privilege_escalation_docker_release_file_creation.toml index 13bfdf602..e919be74c 100644 --- a/rules/linux/privilege_escalation_docker_release_file_creation.toml +++ b/rules/linux/privilege_escalation_docker_release_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,6 +78,11 @@ not process.executable in ("/usr/bin/podman", "/sbin/sos", "/sbin/sosreport", "/ [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique]] id = "T1611" name = "Escape to Host" @@ -87,3 +92,16 @@ reference = "https://attack.mitre.org/techniques/T1611/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/privilege_escalation_enlightenment_window_manager.toml b/rules/linux/privilege_escalation_enlightenment_window_manager.toml index 163762f1c..4d7848f81 100644 --- a/rules/linux/privilege_escalation_enlightenment_window_manager.toml +++ b/rules/linux/privilege_escalation_enlightenment_window_manager.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,14 +102,23 @@ Enlightenment, a Linux window manager, can be exploited for privilege escalation [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml b/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml index d9f136f68..8de88108c 100644 --- a/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml +++ b/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,24 +104,28 @@ The CAP_SYS_PTRACE capability in Linux allows processes to trace and control oth [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [[rule.threat.technique.subtechnique]] id = "T1055.008" name = "Ptrace System Calls" reference = "https://attack.mitre.org/techniques/T1055/008/" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml b/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml index b03edb7d5..8e85be529 100644 --- a/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml +++ b/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,53 +106,72 @@ GDB, a debugger, can be granted the CAP_SYS_PTRACE capability, allowing it to tr [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [[rule.threat.technique.subtechnique]] id = "T1055.008" name = "Ptrace System Calls" reference = "https://attack.mitre.org/techniques/T1055/008/" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + +[[rule.threat.technique.subtechnique]] +id = "T1055.008" +name = "Ptrace System Calls" +reference = "https://attack.mitre.org/techniques/T1055/008/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/privilege_escalation_kworker_uid_elevation.toml b/rules/linux/privilege_escalation_kworker_uid_elevation.toml index 5c695d128..f82fe7162 100644 --- a/rules/linux/privilege_escalation_kworker_uid_elevation.toml +++ b/rules/linux/privilege_escalation_kworker_uid_elevation.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,31 +102,41 @@ Kworker processes are integral to Linux, handling tasks like interrupts and back [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.013" name = "KernelCallbackTable" reference = "https://attack.mitre.org/techniques/T1574/013/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1014" name = "Rootkit" reference = "https://attack.mitre.org/techniques/T1014/" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.004" +name = "Masquerade Task or Service" +reference = "https://attack.mitre.org/techniques/T1036/004/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml index 046ac0903..88dcfc8a9 100644 --- a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml +++ b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/27" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -129,6 +129,41 @@ id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["host.id"] diff --git a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml index af3b13bbb..7b6c41b14 100644 --- a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml +++ b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,6 +122,11 @@ id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" @@ -144,3 +149,29 @@ reference = "https://attack.mitre.org/techniques/T1003/008/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml index e2af607fc..247f75687 100644 --- a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml +++ b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/09" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -153,6 +153,11 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + [[rule.threat.technique]] id = "T1601" name = "Modify System Image" diff --git a/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml b/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml index 7f703f3cf..8a26e54fe 100644 --- a/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml +++ b/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -114,14 +114,23 @@ CVE-2023-4911 exploits a buffer overflow in the GNU C Library's dynamic loader, [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml index c7b540738..fa85b1fca 100644 --- a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml +++ b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,14 +105,18 @@ OverlayFS is a union filesystem used in Linux environments to overlay one filesy [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml index 9df3d417f..bbffa62b3 100644 --- a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml +++ b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/26" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,31 +100,46 @@ file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + [[rule.threat.technique.subtechnique]] id = "T1574.007" name = "Path Interception by PATH Environment Variable" reference = "https://attack.mitre.org/techniques/T1574/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml b/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml index f7d626e37..3b93dd57a 100644 --- a/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml +++ b/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/17" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -168,3 +168,21 @@ framework = "MITRE ATT&CK" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/privilege_escalation_potential_suid_sgid_proxy_execution.toml b/rules/linux/privilege_escalation_potential_suid_sgid_proxy_execution.toml index 6073256d5..04869b7ba 100644 --- a/rules/linux/privilege_escalation_potential_suid_sgid_proxy_execution.toml +++ b/rules/linux/privilege_escalation_potential_suid_sgid_proxy_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/30" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -156,12 +156,22 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Defense Evasion" -id = "TA0005" -reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml index c21496700..c2e925719 100644 --- a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml +++ b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/28" integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -131,6 +131,16 @@ id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml b/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml index d916e1256..f79504002 100644 --- a/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml +++ b/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -117,3 +117,29 @@ reference = "https://attack.mitre.org/techniques/T1078/003/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1006" +name = "Direct Volume Access" +reference = "https://attack.mitre.org/techniques/T1006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/privilege_escalation_snap_confine_lpe_via_cve_2026_3888.toml b/rules/linux/privilege_escalation_snap_confine_lpe_via_cve_2026_3888.toml index 84c02d175..789d6a14b 100644 --- a/rules/linux/privilege_escalation_snap_confine_lpe_via_cve_2026_3888.toml +++ b/rules/linux/privilege_escalation_snap_confine_lpe_via_cve_2026_3888.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/18" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,6 +110,11 @@ id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml b/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml index c90a6990f..c7384b967 100644 --- a/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml +++ b/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -118,6 +118,16 @@ id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/linux/privilege_escalation_sudo_hijacking.toml b/rules/linux/privilege_escalation_sudo_hijacking.toml index b137cf4d0..5d26914be 100644 --- a/rules/linux/privilege_escalation_sudo_hijacking.toml +++ b/rules/linux/privilege_escalation_sudo_hijacking.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -133,6 +133,11 @@ id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" @@ -150,3 +155,16 @@ reference = "https://attack.mitre.org/techniques/T1574/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1056" +name = "Input Capture" +reference = "https://attack.mitre.org/techniques/T1056/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml b/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml index 5ea5e75e9..feb099acf 100644 --- a/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml +++ b/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/31" integration = ["endpoint"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,29 +103,56 @@ sequence by host.id, process.session_leader.entity_id with maxspan=15s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [[rule.threat.technique.subtechnique]] id = "T1055.008" name = "Ptrace System Calls" reference = "https://attack.mitre.org/techniques/T1055/008/" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + +[[rule.threat.technique.subtechnique]] +id = "T1055.008" +name = "Ptrace System Calls" +reference = "https://attack.mitre.org/techniques/T1055/008/" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml b/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml index a679ec485..a15937e4c 100644 --- a/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml +++ b/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,3 +122,21 @@ reference = "https://attack.mitre.org/techniques/T1548/001/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml b/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml index 0035cfea0..c6754a242 100644 --- a/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml +++ b/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/08" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -109,14 +109,36 @@ In Linux, CAP_CHOWN and CAP_FOWNER are capabilities that allow processes to chan [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1222" +name = "File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/" + +[[rule.threat.technique.subtechnique]] +id = "T1222.002" +name = "Linux and Mac File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml b/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml index 923962a5d..20c3a9c7a 100644 --- a/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml +++ b/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/22" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -124,14 +124,31 @@ In Linux environments, the `/etc/passwd` file is crucial for managing user accou [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" + +[[rule.threat.technique.subtechnique]] +id = "T1136.001" +name = "Local Account" +reference = "https://attack.mitre.org/techniques/T1136/001/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml b/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml index a179911f6..2c32e927a 100644 --- a/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml +++ b/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/08" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -141,3 +141,21 @@ reference = "https://attack.mitre.org/techniques/T1548/001/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/privilege_escalation_uid_change_post_compilation.toml b/rules/linux/privilege_escalation_uid_change_post_compilation.toml index 8a74ae8f8..34b21863a 100644 --- a/rules/linux/privilege_escalation_uid_change_post_compilation.toml +++ b/rules/linux/privilege_escalation_uid_change_post_compilation.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,6 +110,16 @@ id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml b/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml index 46af71288..31c8199b6 100644 --- a/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml +++ b/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -115,6 +115,16 @@ and process.parent.name:("bash" or "dash" or "sh" or "tcsh" or "csh" or "zsh" or [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" @@ -142,7 +152,6 @@ reference = "https://attack.mitre.org/techniques/T1014/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml b/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml index 05c5c6f2a..98ed00988 100644 --- a/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml +++ b/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/30" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,6 +125,11 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1611" +name = "Escape to Host" +reference = "https://attack.mitre.org/techniques/T1611/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/linux/privilege_escalation_writable_docker_socket.toml b/rules/linux/privilege_escalation_writable_docker_socket.toml index 7b9152ef5..a19944f3b 100644 --- a/rules/linux/privilege_escalation_writable_docker_socket.toml +++ b/rules/linux/privilege_escalation_writable_docker_socket.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/25" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/10/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,14 +107,26 @@ Docker sockets facilitate communication between the Docker client and daemon, ty [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1611" name = "Escape to Host" reference = "https://attack.mitre.org/techniques/T1611/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/collection_discovery_output_written_to_suspicious_file.toml b/rules/macos/collection_discovery_output_written_to_suspicious_file.toml index 298a32c90..040480b43 100644 --- a/rules/macos/collection_discovery_output_written_to_suspicious_file.toml +++ b/rules/macos/collection_discovery_output_written_to_suspicious_file.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -75,30 +75,40 @@ sequence by process.entity_id with maxspan=15s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Collection" - id = "TA0009" - reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat.technique]] +id = "T1074" +name = "Data Staged" +reference = "https://attack.mitre.org/techniques/T1074/" - [[rule.threat.technique]] - name = "Data Staged" - id = "T1074" - reference = "https://attack.mitre.org/techniques/T1074/" +[[rule.threat.technique.subtechnique]] +id = "T1074.001" +name = "Local Data Staging" +reference = "https://attack.mitre.org/techniques/T1074/001/" - [[rule.threat.technique.subtechnique]] - name = "Local Data Staging" - id = "T1074.001" - reference = "https://attack.mitre.org/techniques/T1074/001/" +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Discovery" - id = "TA0007" - reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" - [[rule.threat.technique]] - name = "System Information Discovery" - id = "T1082" - reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/macos/collection_sensitive_file_access_followed_by_compression.toml b/rules/macos/collection_sensitive_file_access_followed_by_compression.toml index 68fa16c90..27155e6e4 100644 --- a/rules/macos/collection_sensitive_file_access_followed_by_compression.toml +++ b/rules/macos/collection_sensitive_file_access_followed_by_compression.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,30 +80,35 @@ sequence by process.entity_id with maxspan=30s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Collection" - id = "TA0009" - reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" - [[rule.threat.technique]] - name = "Data Staged" - id = "T1074" - reference = "https://attack.mitre.org/techniques/T1074/" +[[rule.threat.technique]] +id = "T1074" +name = "Data Staged" +reference = "https://attack.mitre.org/techniques/T1074/" - [[rule.threat.technique.subtechnique]] - name = "Local Data Staging" - id = "T1074.001" - reference = "https://attack.mitre.org/techniques/T1074/001/" +[[rule.threat.technique.subtechnique]] +id = "T1074.001" +name = "Local Data Staging" +reference = "https://attack.mitre.org/techniques/T1074/001/" - [[rule.threat.technique]] - name = "Archive Collected Data" - id = "T1560" - reference = "https://attack.mitre.org/techniques/T1560/" +[[rule.threat.technique]] +id = "T1560" +name = "Archive Collected Data" +reference = "https://attack.mitre.org/techniques/T1560/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Exfiltration" - id = "TA0010" - reference = "https://attack.mitre.org/tactics/TA0010/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/macos/command_and_control_aws_s3_connection_via_script.toml b/rules/macos/command_and_control_aws_s3_connection_via_script.toml index 2128dd082..3b50a6efa 100644 --- a/rules/macos/command_and_control_aws_s3_connection_via_script.toml +++ b/rules/macos/command_and_control_aws_s3_connection_via_script.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,30 +78,58 @@ FROM logs-endpoint.events.network-* [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" - [[rule.threat.technique]] - name = "Web Service" - id = "T1102" - reference = "https://attack.mitre.org/techniques/T1102/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Exfiltration" - id = "TA0010" - reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" - [[rule.threat.technique]] - name = "Exfiltration Over Web Service" - id = "T1567" - reference = "https://attack.mitre.org/techniques/T1567/" +[[rule.threat.technique.subtechnique]] +id = "T1567.002" +name = "Exfiltration to Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1567/002/" - [[rule.threat.technique.subtechnique]] - name = "Exfiltration to Cloud Storage" - id = "T1567.002" - reference = "https://attack.mitre.org/techniques/T1567/002/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/command_and_control_google_calendar_c2_via_script.toml b/rules/macos/command_and_control_google_calendar_c2_via_script.toml index 9d68b0d61..38e50b72a 100644 --- a/rules/macos/command_and_control_google_calendar_c2_via_script.toml +++ b/rules/macos/command_and_control_google_calendar_c2_via_script.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,40 +83,50 @@ sequence by process.entity_id with maxspan=20s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" - [[rule.threat.technique]] - name = "Web Service" - id = "T1102" - reference = "https://attack.mitre.org/techniques/T1102/" +[[rule.threat.technique.subtechnique]] +id = "T1102.001" +name = "Dead Drop Resolver" +reference = "https://attack.mitre.org/techniques/T1102/001/" - [[rule.threat.technique.subtechnique]] - name = "Bidirectional Communication" - id = "T1102.002" - reference = "https://attack.mitre.org/techniques/T1102/002/" +[[rule.threat.technique.subtechnique]] +id = "T1102.002" +name = "Bidirectional Communication" +reference = "https://attack.mitre.org/techniques/T1102/002/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - name = "Command and Scripting Interpreter" - id = "T1059" - reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" - [[rule.threat.technique.subtechnique]] - name = "Python" - id = "T1059.006" - reference = "https://attack.mitre.org/techniques/T1059/006/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" - [[rule.threat.technique.subtechnique]] - name = "JavaScript" - id = "T1059.007" - reference = "https://attack.mitre.org/techniques/T1059/007/" +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/command_and_control_network_connection_to_oast_domain.toml b/rules/macos/command_and_control_network_connection_to_oast_domain.toml index 0da1e9b94..3b29be346 100644 --- a/rules/macos/command_and_control_network_connection_to_oast_domain.toml +++ b/rules/macos/command_and_control_network_connection_to_oast_domain.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -77,25 +77,56 @@ sequence by process.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" - [[rule.threat.technique]] - name = "Web Service" - id = "T1102" - reference = "https://attack.mitre.org/techniques/T1102/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Exfiltration" - id = "TA0010" - reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" - [[rule.threat.technique]] - name = "Exfiltration Over Web Service" - id = "T1567" - reference = "https://attack.mitre.org/techniques/T1567/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1195" +name = "Supply Chain Compromise" +reference = "https://attack.mitre.org/techniques/T1195/" + +[[rule.threat.technique.subtechnique]] +id = "T1195.001" +name = "Compromise Software Dependencies and Development Tools" +reference = "https://attack.mitre.org/techniques/T1195/001/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/macos/command_and_control_perl_outbound_network_connection.toml b/rules/macos/command_and_control_perl_outbound_network_connection.toml index 5241029aa..e3fa344b2 100644 --- a/rules/macos/command_and_control_perl_outbound_network_connection.toml +++ b/rules/macos/command_and_control_perl_outbound_network_connection.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -74,30 +74,35 @@ sequence by process.entity_id with maxspan=30s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" - [[rule.threat.technique]] - name = "Application Layer Protocol" - id = "T1071" - reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" - [[rule.threat.technique.subtechnique]] - name = "Web Protocols" - id = "T1071.001" - reference = "https://attack.mitre.org/techniques/T1071/001/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - name = "Command and Scripting Interpreter" - id = "T1059" - reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/command_and_control_potential_etherhiding_c2.toml b/rules/macos/command_and_control_potential_etherhiding_c2.toml index d6eb9a913..dfa3fa467 100644 --- a/rules/macos/command_and_control_potential_etherhiding_c2.toml +++ b/rules/macos/command_and_control_potential_etherhiding_c2.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,45 +80,55 @@ sequence by process.entity_id with maxspan=15s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" - [[rule.threat.technique]] - name = "Web Service" - id = "T1102" - reference = "https://attack.mitre.org/techniques/T1102/" +[[rule.threat.technique.subtechnique]] +id = "T1102.001" +name = "Dead Drop Resolver" +reference = "https://attack.mitre.org/techniques/T1102/001/" - [[rule.threat.technique.subtechnique]] - name = "Bidirectional Communication" - id = "T1102.002" - reference = "https://attack.mitre.org/techniques/T1102/002/" +[[rule.threat.technique.subtechnique]] +id = "T1102.002" +name = "Bidirectional Communication" +reference = "https://attack.mitre.org/techniques/T1102/002/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - name = "Command and Scripting Interpreter" - id = "T1059" - reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" - [[rule.threat.technique.subtechnique]] - name = "Python" - id = "T1059.006" - reference = "https://attack.mitre.org/techniques/T1059/006/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" - [[rule.threat.technique.subtechnique]] - name = "JavaScript" - id = "T1059.007" - reference = "https://attack.mitre.org/techniques/T1059/007/" +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/command_and_control_script_interpreter_connection_to_non_standard_port.toml b/rules/macos/command_and_control_script_interpreter_connection_to_non_standard_port.toml index d4ff78d48..ce91f8fa5 100644 --- a/rules/macos/command_and_control_script_interpreter_connection_to_non_standard_port.toml +++ b/rules/macos/command_and_control_script_interpreter_connection_to_non_standard_port.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,35 +83,40 @@ sequence by process.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1571" +name = "Non-Standard Port" +reference = "https://attack.mitre.org/techniques/T1571/" - [[rule.threat.technique]] - name = "Non-Standard Port" - id = "T1571" - reference = "https://attack.mitre.org/techniques/T1571/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - name = "Command and Scripting Interpreter" - id = "T1059" - reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" - [[rule.threat.technique.subtechnique]] - name = "Python" - id = "T1059.006" - reference = "https://attack.mitre.org/techniques/T1059/006/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" - [[rule.threat.technique.subtechnique]] - name = "JavaScript" - id = "T1059.007" - reference = "https://attack.mitre.org/techniques/T1059/007/" +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/command_and_control_suspicious_curl_from_macos_application.toml b/rules/macos/command_and_control_suspicious_curl_from_macos_application.toml index 06b8d5ebb..17e43a7bf 100644 --- a/rules/macos/command_and_control_suspicious_curl_from_macos_application.toml +++ b/rules/macos/command_and_control_suspicious_curl_from_macos_application.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,12 +86,40 @@ process where host.os.type == "macos" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" - [[rule.threat.technique]] - name = "Ingress Tool Transfer" - id = "T1105" - reference = "https://attack.mitre.org/techniques/T1105/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1553" +name = "Subvert Trust Controls" +reference = "https://attack.mitre.org/techniques/T1553/" + +[[rule.threat.technique.subtechnique]] +id = "T1553.001" +name = "Gatekeeper Bypass" +reference = "https://attack.mitre.org/techniques/T1553/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/macos/command_and_control_suspicious_curl_to_google_app_script.toml b/rules/macos/command_and_control_suspicious_curl_to_google_app_script.toml index ba69a5cda..6ad7cd479 100644 --- a/rules/macos/command_and_control_suspicious_curl_to_google_app_script.toml +++ b/rules/macos/command_and_control_suspicious_curl_to_google_app_script.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,22 +80,32 @@ sequence by process.entity_id with maxspan=15s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" - [[rule.threat.technique]] - name = "Ingress Tool Transfer" - id = "T1105" - reference = "https://attack.mitre.org/techniques/T1105/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" - [[rule.threat.technique]] - name = "Web Service" - id = "T1102" - reference = "https://attack.mitre.org/techniques/T1102/" +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" - [[rule.threat.technique.subtechnique]] - name = "Bidirectional Communication" - id = "T1102.002" - reference = "https://attack.mitre.org/techniques/T1102/002/" +[[rule.threat.technique.subtechnique]] +id = "T1102.002" +name = "Bidirectional Communication" +reference = "https://attack.mitre.org/techniques/T1102/002/" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/macos/command_and_control_suspicious_outbound_network_via_unsigned_binary.toml b/rules/macos/command_and_control_suspicious_outbound_network_via_unsigned_binary.toml index fa4d92218..8e423be32 100644 --- a/rules/macos/command_and_control_suspicious_outbound_network_via_unsigned_binary.toml +++ b/rules/macos/command_and_control_suspicious_outbound_network_via_unsigned_binary.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,12 +85,30 @@ sequence by process.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1571" +name = "Non-Standard Port" +reference = "https://attack.mitre.org/techniques/T1571/" - [[rule.threat.technique]] - name = "Non-Standard Port" - id = "T1571" - reference = "https://attack.mitre.org/techniques/T1571/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1553" +name = "Subvert Trust Controls" +reference = "https://attack.mitre.org/techniques/T1553/" + +[[rule.threat.technique.subtechnique]] +id = "T1553.001" +name = "Gatekeeper Bypass" +reference = "https://attack.mitre.org/techniques/T1553/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml b/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml index 9a0859fd9..1fbe462cd 100644 --- a/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml +++ b/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/26" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -188,11 +188,43 @@ id = "T1071.001" name = "Web Protocols" reference = "https://attack.mitre.org/techniques/T1071/001/" +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + +[[rule.threat.technique.subtechnique]] +id = "T1567.002" +name = "Exfiltration to Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1567/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1567.003" +name = "Exfiltration to Text Storage Sites" +reference = "https://attack.mitre.org/techniques/T1567/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1567.004" +name = "Exfiltration Over Webhook" +reference = "https://attack.mitre.org/techniques/T1567/004/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "destination.domain"] diff --git a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml index 11e5309dc..f3f850663 100644 --- a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml +++ b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,14 +100,18 @@ In macOS environments, built-in commands like `defaults` and `mkpassdb` can be e [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.008" +name = "/etc/passwd and /etc/shadow" +reference = "https://attack.mitre.org/techniques/T1003/008/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/macos/credential_access_high_volume_of_pbpaste.toml b/rules/macos/credential_access_high_volume_of_pbpaste.toml index 8cf8dad21..113d70f61 100644 --- a/rules/macos/credential_access_high_volume_of_pbpaste.toml +++ b/rules/macos/credential_access_high_volume_of_pbpaste.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/12" integration = ["endpoint", "jamf_protect"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2026/03/24" [transform] [[transform.investigate]] @@ -108,14 +108,26 @@ sequence by host.hostname, host.id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1056" name = "Input Capture" reference = "https://attack.mitre.org/techniques/T1056/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1115" +name = "Clipboard Data" +reference = "https://attack.mitre.org/techniques/T1115/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/macos/credential_access_kerberosdump_kcc.toml b/rules/macos/credential_access_kerberosdump_kcc.toml index e566cdb00..3c2793609 100644 --- a/rules/macos/credential_access_kerberosdump_kcc.toml +++ b/rules/macos/credential_access_kerberosdump_kcc.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,6 +101,7 @@ Kerberos is a network authentication protocol designed to provide secure identit [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" @@ -110,15 +111,18 @@ reference = "https://attack.mitre.org/techniques/T1003/" id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" + [[rule.threat.technique.subtechnique]] id = "T1558.003" name = "Kerberoasting" reference = "https://attack.mitre.org/techniques/T1558/003/" - +[[rule.threat.technique.subtechnique]] +id = "T1558.005" +name = "Ccache Files" +reference = "https://attack.mitre.org/techniques/T1558/005/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml index d1bc68892..938f9779c 100644 --- a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml +++ b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/06" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,29 +107,23 @@ Keychain is macOS's secure storage system for managing user credentials, includi [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [[rule.threat.technique.subtechnique]] id = "T1555.001" name = "Keychain" reference = "https://attack.mitre.org/techniques/T1555/001/" - -[[rule.threat.technique]] -id = "T1555" -name = "Credentials from Password Stores" -reference = "https://attack.mitre.org/techniques/T1555/" [[rule.threat.technique.subtechnique]] id = "T1555.003" name = "Credentials from Web Browsers" reference = "https://attack.mitre.org/techniques/T1555/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/macos/credential_access_mitm_localhost_webproxy.toml b/rules/macos/credential_access_mitm_localhost_webproxy.toml index 356443d7e..dadd11cd2 100644 --- a/rules/macos/credential_access_mitm_localhost_webproxy.toml +++ b/rules/macos/credential_access_mitm_localhost_webproxy.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,14 +103,31 @@ Web proxy settings in macOS manage how web traffic is routed, often used to enha [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1539" name = "Steal Web Session Cookie" reference = "https://attack.mitre.org/techniques/T1539/" +[[rule.threat.technique]] +id = "T1557" +name = "Adversary-in-the-Middle" +reference = "https://attack.mitre.org/techniques/T1557/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1557" +name = "Adversary-in-the-Middle" +reference = "https://attack.mitre.org/techniques/T1557/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml b/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml index 87666419b..15af0dc34 100644 --- a/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml +++ b/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/16" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -97,17 +97,29 @@ SSH (Secure Shell) is a protocol used to securely access remote systems. On macO [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.threshold] field = ["host.id"] value = 20 diff --git a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml index 24d5fa1fb..4cfbb25cd 100644 --- a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml +++ b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/16" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -112,19 +112,36 @@ OSASCRIPT is a macOS utility that allows the execution of AppleScript and other [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1056" name = "Input Capture" reference = "https://attack.mitre.org/techniques/T1056/" + [[rule.threat.technique.subtechnique]] id = "T1056.002" name = "GUI Input Capture" reference = "https://attack.mitre.org/techniques/T1056/002/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/credential_access_python_sensitive_file_access_first_occurrence.toml b/rules/macos/credential_access_python_sensitive_file_access_first_occurrence.toml index 26ee109c5..7a1234c88 100644 --- a/rules/macos/credential_access_python_sensitive_file_access_first_occurrence.toml +++ b/rules/macos/credential_access_python_sensitive_file_access_first_occurrence.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/23" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -73,20 +73,46 @@ process.name:python* [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1539" +name = "Steal Web Session Cookie" +reference = "https://attack.mitre.org/techniques/T1539/" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [[rule.threat.technique.subtechnique]] id = "T1555.001" name = "Keychain" reference = "https://attack.mitre.org/techniques/T1555/001/" +[[rule.threat.technique]] +id = "T1558" +name = "Steal or Forge Kerberos Tickets" +reference = "https://attack.mitre.org/techniques/T1558/" + +[[rule.threat.technique.subtechnique]] +id = "T1558.005" +name = "Ccache Files" +reference = "https://attack.mitre.org/techniques/T1558/005/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id", "file.path"] diff --git a/rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml b/rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml index 9bc52f178..535d1743a 100644 --- a/rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml +++ b/rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,6 +105,7 @@ Web browsers store sensitive data like cookies and login credentials in specific [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1539" name = "Steal Web Session Cookie" @@ -114,15 +115,26 @@ reference = "https://attack.mitre.org/techniques/T1539/" id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [[rule.threat.technique.subtechnique]] id = "T1555.003" name = "Credentials from Web Browsers" reference = "https://attack.mitre.org/techniques/T1555/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/macos/credential_access_systemkey_dumping.toml b/rules/macos/credential_access_systemkey_dumping.toml index 0ce7fb225..1f86c9281 100644 --- a/rules/macos/credential_access_systemkey_dumping.toml +++ b/rules/macos/credential_access_systemkey_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,19 +99,31 @@ macOS keychains securely store user credentials, including passwords and certifi [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [[rule.threat.technique.subtechnique]] id = "T1555.001" name = "Keychain" reference = "https://attack.mitre.org/techniques/T1555/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/macos/defense_evasion_apple_softupdates_modification.toml b/rules/macos/defense_evasion_apple_softupdates_modification.toml index 744d460b1..379b50eb3 100644 --- a/rules/macos/defense_evasion_apple_softupdates_modification.toml +++ b/rules/macos/defense_evasion_apple_softupdates_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/15" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,19 +99,23 @@ In macOS environments, the SoftwareUpdate preferences manage system updates, cru [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - +[[rule.threat.technique]] +id = "T1647" +name = "Plist File Modification" +reference = "https://attack.mitre.org/techniques/T1647/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml index 2a5331cde..5f07e8352 100644 --- a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml +++ b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,19 +107,28 @@ In macOS, files downloaded from the internet are tagged with a quarantine attrib [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1553" +name = "Subvert Trust Controls" +reference = "https://attack.mitre.org/techniques/T1553/" + +[[rule.threat.technique.subtechnique]] +id = "T1553.001" +name = "Gatekeeper Bypass" +reference = "https://attack.mitre.org/techniques/T1553/001/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml index d56533056..c5a7587ca 100644 --- a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml +++ b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,14 +102,18 @@ Gatekeeper is a macOS security feature that ensures only trusted software runs b [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1553" name = "Subvert Trust Controls" reference = "https://attack.mitre.org/techniques/T1553/" +[[rule.threat.technique.subtechnique]] +id = "T1553.001" +name = "Gatekeeper Bypass" +reference = "https://attack.mitre.org/techniques/T1553/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/defense_evasion_dylib_injection_via_env_vars.toml b/rules/macos/defense_evasion_dylib_injection_via_env_vars.toml index 65c5732f9..115d59253 100644 --- a/rules/macos/defense_evasion_dylib_injection_via_env_vars.toml +++ b/rules/macos/defense_evasion_dylib_injection_via_env_vars.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,35 +89,53 @@ sequence by process.entity_id with maxspan=15s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique]] - name = "Hijack Execution Flow" - id = "T1574" - reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" - [[rule.threat.technique.subtechnique]] - name = "Dynamic Linker Hijacking" - id = "T1574.006" - reference = "https://attack.mitre.org/techniques/T1574/006/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Persistence" - id = "TA0003" - reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique]] - name = "Hijack Execution Flow" - id = "T1574" - reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" - [[rule.threat.technique.subtechnique]] - name = "Dynamic Linker Hijacking" - id = "T1574.006" - reference = "https://attack.mitre.org/techniques/T1574/006/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/macos/defense_evasion_gatekeeper_override_and_execution.toml b/rules/macos/defense_evasion_gatekeeper_override_and_execution.toml index 026222507..4293e385f 100644 --- a/rules/macos/defense_evasion_gatekeeper_override_and_execution.toml +++ b/rules/macos/defense_evasion_gatekeeper_override_and_execution.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -76,27 +76,45 @@ configuration where host.os.type == "macos" and event.action == "gatekeeper_over [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1553" +name = "Subvert Trust Controls" +reference = "https://attack.mitre.org/techniques/T1553/" - [[rule.threat.technique]] - name = "Impair Defenses" - id = "T1562" - reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1553.001" +name = "Gatekeeper Bypass" +reference = "https://attack.mitre.org/techniques/T1553/001/" - [[rule.threat.technique.subtechnique]] - name = "Disable or Modify Tools" - id = "T1562.001" - reference = "https://attack.mitre.org/techniques/T1562/001/" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique]] - name = "Subvert Trust Controls" - id = "T1553" - reference = "https://attack.mitre.org/techniques/T1553/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" - [[rule.threat.technique.subtechnique]] - name = "Gatekeeper Bypass" - id = "T1553.001" - reference = "https://attack.mitre.org/techniques/T1553/001/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/defense_evasion_modify_environment_launchctl.toml b/rules/macos/defense_evasion_modify_environment_launchctl.toml index cc25b452b..72328ff7e 100644 --- a/rules/macos/defense_evasion_modify_environment_launchctl.toml +++ b/rules/macos/defense_evasion_modify_environment_launchctl.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,19 +102,23 @@ Environment variables in macOS are crucial for configuring system and applicatio [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + [[rule.threat.technique.subtechnique]] id = "T1574.007" name = "Path Interception by PATH Environment Variable" reference = "https://attack.mitre.org/techniques/T1574/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml index 142f83f0d..e6df1d7b6 100644 --- a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml +++ b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,19 +104,28 @@ The Transparency, Consent, and Control (TCC) database in macOS manages app permi [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.006" +name = "TCC Manipulation" +reference = "https://attack.mitre.org/techniques/T1548/006/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml index edcdf2e93..cd78d6ab6 100644 --- a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml +++ b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,26 +105,39 @@ Secure Copy Protocol (SCP) is used for secure file transfers over SSH. On macOS, [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/macos/defense_evasion_safari_config_change.toml b/rules/macos/defense_evasion_safari_config_change.toml index 4a35cd072..10e852e45 100644 --- a/rules/macos/defense_evasion_safari_config_change.toml +++ b/rules/macos/defense_evasion_safari_config_change.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/14" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,19 +100,23 @@ The 'defaults' command in macOS is a utility that allows users to read, write, a [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - +[[rule.threat.technique]] +id = "T1647" +name = "Plist File Modification" +reference = "https://attack.mitre.org/techniques/T1647/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml index 308e0584e..7ba87ae52 100644 --- a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml +++ b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,14 +101,23 @@ Microsoft Office applications on macOS operate within a sandbox to limit potenti [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + [[rule.threat.technique]] id = "T1497" name = "Virtualization/Sandbox Evasion" reference = "https://attack.mitre.org/techniques/T1497/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/defense_evasion_suspicious_tcc_access_granted.toml b/rules/macos/defense_evasion_suspicious_tcc_access_granted.toml index 03d0581f3..70b84cd97 100644 --- a/rules/macos/defense_evasion_suspicious_tcc_access_granted.toml +++ b/rules/macos/defense_evasion_suspicious_tcc_access_granted.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,30 +85,48 @@ FROM logs-endpoint.events.* [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique]] - name = "Abuse Elevation Control Mechanism" - id = "T1548" - reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.006" +name = "TCC Manipulation" +reference = "https://attack.mitre.org/techniques/T1548/006/" - [[rule.threat.technique.subtechnique]] - name = "TCC Manipulation" - id = "T1548.006" - reference = "https://attack.mitre.org/techniques/T1548/006/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Collection" - id = "TA0009" - reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" - [[rule.threat.technique]] - name = "Data from Local System" - id = "T1005" - reference = "https://attack.mitre.org/techniques/T1005/" +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.006" +name = "TCC Manipulation" +reference = "https://attack.mitre.org/techniques/T1548/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml index 78f98ad69..bb9e3a4e6 100644 --- a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml +++ b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -98,14 +98,26 @@ Apple's TCC framework safeguards user data by controlling app access to sensitiv [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1006" name = "Direct Volume Access" reference = "https://attack.mitre.org/techniques/T1006/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/macos/discovery_full_disk_access_check.toml b/rules/macos/discovery_full_disk_access_check.toml index 58b259b52..1bd5142d1 100644 --- a/rules/macos/discovery_full_disk_access_check.toml +++ b/rules/macos/discovery_full_disk_access_check.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -72,30 +72,48 @@ file where host.os.type == "macos" and event.action == "open" and [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Discovery" - id = "TA0007" - reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" - [[rule.threat.technique]] - name = "File and Directory Discovery" - id = "T1083" - reference = "https://attack.mitre.org/techniques/T1083/" +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique]] - name = "Abuse Elevation Control Mechanism" - id = "T1548" - reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.006" +name = "TCC Manipulation" +reference = "https://attack.mitre.org/techniques/T1548/006/" - [[rule.threat.technique.subtechnique]] - name = "TCC Manipulation" - id = "T1548.006" - reference = "https://attack.mitre.org/techniques/T1548/006/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.006" +name = "TCC Manipulation" +reference = "https://attack.mitre.org/techniques/T1548/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/macos/discovery_suspicious_sip_check.toml b/rules/macos/discovery_suspicious_sip_check.toml index cf48e7fe8..19b49d3f6 100644 --- a/rules/macos/discovery_suspicious_sip_check.toml +++ b/rules/macos/discovery_suspicious_sip_check.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -74,22 +74,40 @@ process where host.os.type == "macos" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Discovery" - id = "TA0007" - reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" - [[rule.threat.technique]] - name = "System Information Discovery" - id = "T1082" - reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1497" +name = "Virtualization/Sandbox Evasion" +reference = "https://attack.mitre.org/techniques/T1497/" - [[rule.threat.technique]] - name = "Virtualization/Sandbox Evasion" - id = "T1497" - reference = "https://attack.mitre.org/techniques/T1497/" +[[rule.threat.technique.subtechnique]] +id = "T1497.001" +name = "System Checks" +reference = "https://attack.mitre.org/techniques/T1497/001/" - [[rule.threat.technique.subtechnique]] - name = "System Checks" - id = "T1497.001" - reference = "https://attack.mitre.org/techniques/T1497/001/" +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1497" +name = "Virtualization/Sandbox Evasion" +reference = "https://attack.mitre.org/techniques/T1497/" + +[[rule.threat.technique.subtechnique]] +id = "T1497.001" +name = "System Checks" +reference = "https://attack.mitre.org/techniques/T1497/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/macos/discovery_system_and_network_configuration_check.toml b/rules/macos/discovery_system_and_network_configuration_check.toml index 05dfd0e7d..4e55e3ad8 100644 --- a/rules/macos/discovery_system_and_network_configuration_check.toml +++ b/rules/macos/discovery_system_and_network_configuration_check.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -71,17 +71,17 @@ file where host.os.type == "macos" and event.action == "open" and [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Discovery" - id = "TA0007" - reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" - [[rule.threat.technique]] - name = "System Information Discovery" - id = "T1082" - reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" - [[rule.threat.technique]] - name = "System Network Configuration Discovery" - id = "T1016" - reference = "https://attack.mitre.org/techniques/T1016/" +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml index 6720bc025..d8b8d169b 100644 --- a/rules/macos/discovery_users_domain_built_in_commands.toml +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,29 +105,38 @@ Built-in macOS commands like `ldapsearch`, `dsmemberutil`, and `dscl` are essent [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" reference = "https://attack.mitre.org/techniques/T1069/001/" +[[rule.threat.technique.subtechnique]] +id = "T1069.002" +name = "Domain Groups" +reference = "https://attack.mitre.org/techniques/T1069/002/" [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1087/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1087.002" +name = "Domain Account" +reference = "https://attack.mitre.org/techniques/T1087/002/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml index 6ec5857b8..6ac080940 100644 --- a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml +++ b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,26 +103,31 @@ Electron applications, built on Node.js, can execute child processes using the ` [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml index 3280689d0..e15e12215 100644 --- a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml +++ b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,26 +106,64 @@ Web browsers are integral to user interaction with the internet, often serving a [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1189" name = "Drive-by Compromise" reference = "https://attack.mitre.org/techniques/T1189/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/macos/execution_installer_package_spawned_network_event.toml b/rules/macos/execution_installer_package_spawned_network_event.toml index f54b8347f..3b70f10fc 100644 --- a/rules/macos/execution_installer_package_spawned_network_event.toml +++ b/rules/macos/execution_installer_package_spawned_network_event.toml @@ -2,7 +2,7 @@ creation_date = "2021/02/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/04/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -112,36 +112,56 @@ MacOS installer packages, often with a .pkg extension, are used to distribute so [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + [[rule.threat.technique.subtechnique]] id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique.subtechnique]] id = "T1071.001" name = "Web Protocols" reference = "https://attack.mitre.org/techniques/T1071/001/" - +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/macos/execution_python_shell_spawn_first_occurrence.toml b/rules/macos/execution_python_shell_spawn_first_occurrence.toml index 6da50e09b..1e674eb9d 100644 --- a/rules/macos/execution_python_shell_spawn_first_occurrence.toml +++ b/rules/macos/execution_python_shell_spawn_first_occurrence.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/23" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -76,10 +76,17 @@ not process.command_line:(*pip* or *conda* or *brew* or *jupyter*) [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [[rule.threat.technique.subtechnique]] id = "T1059.006" name = "Python" @@ -89,7 +96,6 @@ reference = "https://attack.mitre.org/techniques/T1059/006/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.parent.executable"] diff --git a/rules/macos/execution_script_via_automator_workflows.toml b/rules/macos/execution_script_via_automator_workflows.toml index a5320a954..e0a473b5c 100644 --- a/rules/macos/execution_script_via_automator_workflows.toml +++ b/rules/macos/execution_script_via_automator_workflows.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -97,14 +97,18 @@ Automator, a macOS utility, allows users to automate repetitive tasks through wo [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml index f657656b6..c8652253c 100644 --- a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml +++ b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,31 +108,36 @@ AppleScript, a scripting language for macOS, automates tasks by controlling appl [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.002" name = "AppleScript" reference = "https://attack.mitre.org/techniques/T1059/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/macos/execution_shell_execution_via_apple_scripting.toml b/rules/macos/execution_shell_execution_via_apple_scripting.toml index 03218b38b..3c9e5a498 100644 --- a/rules/macos/execution_shell_execution_via_apple_scripting.toml +++ b/rules/macos/execution_shell_execution_via_apple_scripting.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,14 +101,23 @@ AppleScript and JXA are scripting languages used in macOS to automate tasks and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/macos/execution_unusual_library_load_via_python.toml b/rules/macos/execution_unusual_library_load_via_python.toml index 99c96e54e..74c7555e5 100644 --- a/rules/macos/execution_unusual_library_load_via_python.toml +++ b/rules/macos/execution_unusual_library_load_via_python.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,17 +82,22 @@ library where host.os.type == "macos" and event.action == "load" and [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - name = "Command and Scripting Interpreter" - id = "T1059" - reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" - [[rule.threat.technique.subtechnique]] - name = "Python" - id = "T1059.006" - reference = "https://attack.mitre.org/techniques/T1059/006/" +[[rule.threat.technique]] +id = "T1129" +name = "Shared Modules" +reference = "https://attack.mitre.org/techniques/T1129/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml index b89f017f6..e7f5358d9 100644 --- a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml +++ b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -164,19 +164,61 @@ Microsoft Office applications on macOS can be exploited by adversaries to execut [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml index 23775e461..2050d05ec 100644 --- a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml +++ b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/12" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,36 +103,79 @@ Kerberos is a network authentication protocol designed to provide secure identit [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.002" +name = "Pass the Hash" +reference = "https://attack.mitre.org/techniques/T1550/002/" + [[rule.threat.technique.subtechnique]] id = "T1550.003" name = "Pass the Ticket" reference = "https://attack.mitre.org/techniques/T1550/003/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" + [[rule.threat.technique.subtechnique]] id = "T1558.003" name = "Kerberoasting" reference = "https://attack.mitre.org/techniques/T1558/003/" - +[[rule.threat.technique.subtechnique]] +id = "T1558.005" +name = "Ccache Files" +reference = "https://attack.mitre.org/techniques/T1558/005/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.002" +name = "Pass the Hash" +reference = "https://attack.mitre.org/techniques/T1550/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.003" +name = "Pass the Ticket" +reference = "https://attack.mitre.org/techniques/T1550/003/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml index 5d7922d88..f8bc0af06 100644 --- a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml +++ b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,19 +101,31 @@ The `systemsetup` command in macOS is a utility that allows administrators to co [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/macos/lateral_movement_suspicious_curl_to_jamf_endpoint.toml b/rules/macos/lateral_movement_suspicious_curl_to_jamf_endpoint.toml index e96f7b945..24db77448 100644 --- a/rules/macos/lateral_movement_suspicious_curl_to_jamf_endpoint.toml +++ b/rules/macos/lateral_movement_suspicious_curl_to_jamf_endpoint.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,25 +78,45 @@ process where host.os.type == "macos" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Lateral Movement" - id = "TA0008" - reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat.technique]] +id = "T1072" +name = "Software Deployment Tools" +reference = "https://attack.mitre.org/techniques/T1072/" - [[rule.threat.technique]] - name = "Software Deployment Tools" - id = "T1072" - reference = "https://attack.mitre.org/techniques/T1072/" +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - name = "Software Deployment Tools" - id = "T1072" - reference = "https://attack.mitre.org/techniques/T1072/" +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + +[[rule.threat.technique]] +id = "T1072" +name = "Software Deployment Tools" +reference = "https://attack.mitre.org/techniques/T1072/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/lateral_movement_vpn_connection_attempt.toml b/rules/macos/lateral_movement_vpn_connection_attempt.toml index 448fb9b9b..c284bdb24 100644 --- a/rules/macos/lateral_movement_vpn_connection_attempt.toml +++ b/rules/macos/lateral_movement_vpn_connection_attempt.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,14 +105,26 @@ Virtual Private Networks (VPNs) are used to securely connect to remote networks, [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/macos/persistence_account_creation_hide_at_logon.toml b/rules/macos/persistence_account_creation_hide_at_logon.toml index 8ffa36218..aad29d1ee 100644 --- a/rules/macos/persistence_account_creation_hide_at_logon.toml +++ b/rules/macos/persistence_account_creation_hide_at_logon.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -98,19 +98,46 @@ In macOS environments, the `dscl` command-line utility manages directory service [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.003" name = "Local Accounts" reference = "https://attack.mitre.org/techniques/T1078/003/" +[[rule.threat.technique]] +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" +[[rule.threat.technique.subtechnique]] +id = "T1136.001" +name = "Local Account" +reference = "https://attack.mitre.org/techniques/T1136/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" + +[[rule.threat.technique.subtechnique]] +id = "T1564.002" +name = "Hidden Users" +reference = "https://attack.mitre.org/techniques/T1564/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/macos/persistence_apple_mail_rule_modification.toml b/rules/macos/persistence_apple_mail_rule_modification.toml index 4e7a49b2d..5c61bee11 100644 --- a/rules/macos/persistence_apple_mail_rule_modification.toml +++ b/rules/macos/persistence_apple_mail_rule_modification.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,25 +81,38 @@ file where host.os.type == "macos" and event.type != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Persistence" - id = "TA0003" - reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique]] - name = "Event Triggered Execution" - id = "T1546" - reference = "https://attack.mitre.org/techniques/T1546/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" - [[rule.threat.technique]] - name = "User Execution" - id = "T1204" - reference = "https://attack.mitre.org/techniques/T1204/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1647" +name = "Plist File Modification" +reference = "https://attack.mitre.org/techniques/T1647/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/macos/persistence_creation_change_launch_agents_file.toml b/rules/macos/persistence_creation_change_launch_agents_file.toml index 25970d864..b194c48c8 100644 --- a/rules/macos/persistence_creation_change_launch_agents_file.toml +++ b/rules/macos/persistence_creation_change_launch_agents_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/04/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,19 +100,41 @@ Launch Agents in macOS are used to execute scripts or applications automatically [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.001" name = "Launch Agent" reference = "https://attack.mitre.org/techniques/T1543/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1543.004" +name = "Launch Daemon" +reference = "https://attack.mitre.org/techniques/T1543/004/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" + +[[rule.threat.technique.subtechnique]] +id = "T1569.001" +name = "Launchctl" +reference = "https://attack.mitre.org/techniques/T1569/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/persistence_creation_hidden_login_item_osascript.toml b/rules/macos/persistence_creation_hidden_login_item_osascript.toml index 1dd6607c7..374da22f8 100644 --- a/rules/macos/persistence_creation_hidden_login_item_osascript.toml +++ b/rules/macos/persistence_creation_hidden_login_item_osascript.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -97,43 +97,49 @@ AppleScript is a scripting language for automating tasks on macOS, including man [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" +[[rule.threat.technique.subtechnique]] +id = "T1547.015" +name = "Login Items" +reference = "https://attack.mitre.org/techniques/T1547/015/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.002" name = "AppleScript" reference = "https://attack.mitre.org/techniques/T1059/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1647" name = "Plist File Modification" reference = "https://attack.mitre.org/techniques/T1647/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml index 15e616378..2dc6bcf3a 100644 --- a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml +++ b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/13" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,19 +103,31 @@ Authorization plugins in macOS extend authentication capabilities, enabling feat [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.002" name = "Authentication Package" reference = "https://attack.mitre.org/techniques/T1547/002/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/macos/persistence_crontab_creation.toml b/rules/macos/persistence_crontab_creation.toml index 0fd47fdaa..3610bd457 100644 --- a/rules/macos/persistence_crontab_creation.toml +++ b/rules/macos/persistence_crontab_creation.toml @@ -2,7 +2,7 @@ creation_date = "2022/04/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,19 +100,36 @@ Cron is a time-based job scheduler in Unix-like operating systems, including mac [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.003" +name = "Cron" +reference = "https://attack.mitre.org/techniques/T1053/003/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/persistence_curl_execution_via_shell_profile.toml b/rules/macos/persistence_curl_execution_via_shell_profile.toml index 7be128e76..0d180ea67 100644 --- a/rules/macos/persistence_curl_execution_via_shell_profile.toml +++ b/rules/macos/persistence_curl_execution_via_shell_profile.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,30 +81,48 @@ sequence with maxspan=10s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Persistence" - id = "TA0003" - reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique]] - name = "Event Triggered Execution" - id = "T1546" - reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.004" +name = "Unix Shell Configuration Modification" +reference = "https://attack.mitre.org/techniques/T1546/004/" - [[rule.threat.technique.subtechnique]] - name = "Unix Shell Configuration Modification" - id = "T1546.004" - reference = "https://attack.mitre.org/techniques/T1546/004/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" - [[rule.threat.technique]] - name = "Ingress Tool Transfer" - id = "T1105" - reference = "https://attack.mitre.org/techniques/T1105/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml index 1feff70a4..40c255619 100644 --- a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml +++ b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,36 +103,41 @@ Launchd is a key macOS system process responsible for managing system and user s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.001" name = "Launch Agent" reference = "https://attack.mitre.org/techniques/T1543/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1543.004" +name = "Launch Daemon" +reference = "https://attack.mitre.org/techniques/T1543/004/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" + [[rule.threat.technique.subtechnique]] id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/persistence_directory_services_plugins_modification.toml b/rules/macos/persistence_directory_services_plugins_modification.toml index 851527cc2..6a5403012 100644 --- a/rules/macos/persistence_directory_services_plugins_modification.toml +++ b/rules/macos/persistence_directory_services_plugins_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/13" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -98,14 +98,18 @@ DirectoryService PlugIns on macOS are integral for managing directory-based serv [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/macos/persistence_docker_shortcuts_plist_modification.toml b/rules/macos/persistence_docker_shortcuts_plist_modification.toml index 60cccae6d..5e68169bf 100644 --- a/rules/macos/persistence_docker_shortcuts_plist_modification.toml +++ b/rules/macos/persistence_docker_shortcuts_plist_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,14 +102,23 @@ Docker shortcuts on macOS are managed through dock property lists, which define [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.009" +name = "Shortcut Modification" +reference = "https://attack.mitre.org/techniques/T1547/009/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/macos/persistence_emond_rules_file_creation.toml b/rules/macos/persistence_emond_rules_file_creation.toml index aceae728d..d163f01c8 100644 --- a/rules/macos/persistence_emond_rules_file_creation.toml +++ b/rules/macos/persistence_emond_rules_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,19 +99,36 @@ The Event Monitor Daemon (emond) on macOS is a service that executes commands ba [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.014" name = "Emond" reference = "https://attack.mitre.org/techniques/T1546/014/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.014" +name = "Emond" +reference = "https://attack.mitre.org/techniques/T1546/014/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/macos/persistence_emond_rules_process_execution.toml b/rules/macos/persistence_emond_rules_process_execution.toml index 4a0d2d1dd..d311934e0 100644 --- a/rules/macos/persistence_emond_rules_process_execution.toml +++ b/rules/macos/persistence_emond_rules_process_execution.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,19 +125,69 @@ The Event Monitor Daemon (emond) on macOS is a service that executes commands ba [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.014" name = "Emond" reference = "https://attack.mitre.org/techniques/T1546/014/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.014" +name = "Emond" +reference = "https://attack.mitre.org/techniques/T1546/014/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/macos/persistence_enable_root_account.toml b/rules/macos/persistence_enable_root_account.toml index 5e06d5edd..aff54dfac 100644 --- a/rules/macos/persistence_enable_root_account.toml +++ b/rules/macos/persistence_enable_root_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -97,19 +97,36 @@ In macOS environments, the root account is typically disabled to enhance securit [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.003" name = "Local Accounts" reference = "https://attack.mitre.org/techniques/T1078/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.003" +name = "Local Accounts" +reference = "https://attack.mitre.org/techniques/T1078/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml index 49dd1c743..a6a9cae03 100644 --- a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml +++ b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,36 +101,41 @@ Launch agents and daemons in macOS are background services that start at login o [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.001" name = "Launch Agent" reference = "https://attack.mitre.org/techniques/T1543/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1543.004" +name = "Launch Daemon" +reference = "https://attack.mitre.org/techniques/T1543/004/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" + [[rule.threat.technique.subtechnique]] id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/persistence_folder_action_scripts_runtime.toml b/rules/macos/persistence_folder_action_scripts_runtime.toml index 46944a678..d790a233a 100644 --- a/rules/macos/persistence_folder_action_scripts_runtime.toml +++ b/rules/macos/persistence_folder_action_scripts_runtime.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,26 +101,31 @@ Folder Action scripts on macOS automate tasks by executing scripts when folder c [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/macos/persistence_login_logout_hooks_defaults.toml b/rules/macos/persistence_login_logout_hooks_defaults.toml index 40020db35..4de5c5b0c 100644 --- a/rules/macos/persistence_login_logout_hooks_defaults.toml +++ b/rules/macos/persistence_login_logout_hooks_defaults.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,14 +108,18 @@ In macOS environments, login and logout hooks are scripts executed automatically [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" +[[rule.threat.technique.subtechnique]] +id = "T1037.002" +name = "Login Hook" +reference = "https://attack.mitre.org/techniques/T1037/002/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/macos/persistence_loginwindow_plist_modification.toml b/rules/macos/persistence_loginwindow_plist_modification.toml index 7603cbada..e85b2d8c0 100644 --- a/rules/macos/persistence_loginwindow_plist_modification.toml +++ b/rules/macos/persistence_loginwindow_plist_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -67,26 +67,36 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique.subtechnique]] +id = "T1037.002" +name = "Login Hook" +reference = "https://attack.mitre.org/techniques/T1037/002/" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1647" name = "Plist File Modification" reference = "https://attack.mitre.org/techniques/T1647/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/persistence_manual_chromium_extension_loading.toml b/rules/macos/persistence_manual_chromium_extension_loading.toml index 245e2cd90..07e4a9a4f 100644 --- a/rules/macos/persistence_manual_chromium_extension_loading.toml +++ b/rules/macos/persistence_manual_chromium_extension_loading.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,25 +86,43 @@ process where host.os.type == "macos" and event.action == "exec" and [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Persistence" - id = "TA0003" - reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat.technique]] +id = "T1176" +name = "Software Extensions" +reference = "https://attack.mitre.org/techniques/T1176/" - [[rule.threat.technique]] - name = "Software Extensions" - id = "T1176" - reference = "https://attack.mitre.org/techniques/T1176/" +[[rule.threat.technique.subtechnique]] +id = "T1176.001" +name = "Browser Extensions" +reference = "https://attack.mitre.org/techniques/T1176/001/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Credential Access" - id = "TA0006" - reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat.technique]] +id = "T1539" +name = "Steal Web Session Cookie" +reference = "https://attack.mitre.org/techniques/T1539/" - [[rule.threat.technique]] - name = "Steal Web Session Cookie" - id = "T1539" - reference = "https://attack.mitre.org/techniques/T1539/" +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1185" +name = "Browser Session Hijacking" +reference = "https://attack.mitre.org/techniques/T1185/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/macos/persistence_python_launch_agent_or_daemon_creation_first_occurrence.toml b/rules/macos/persistence_python_launch_agent_or_daemon_creation_first_occurrence.toml index 2c5cd8c46..af2fe4da7 100644 --- a/rules/macos/persistence_python_launch_agent_or_daemon_creation_first_occurrence.toml +++ b/rules/macos/persistence_python_launch_agent_or_daemon_creation_first_occurrence.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/23" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -73,20 +73,26 @@ process.name:python* [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.001" name = "Launch Agent" reference = "https://attack.mitre.org/techniques/T1543/001/" +[[rule.threat.technique.subtechnique]] +id = "T1543.004" +name = "Launch Daemon" +reference = "https://attack.mitre.org/techniques/T1543/004/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id", "file.path"] diff --git a/rules/macos/persistence_screensaver_plist_file_modification.toml b/rules/macos/persistence_screensaver_plist_file_modification.toml index 447919804..f3d28e5de 100644 --- a/rules/macos/persistence_screensaver_plist_file_modification.toml +++ b/rules/macos/persistence_screensaver_plist_file_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,14 +101,18 @@ file where host.os.type == "macos" and event.action == "modification" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.002" +name = "Screensaver" +reference = "https://attack.mitre.org/techniques/T1546/002/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/macos/persistence_suspicious_file_creation_via_pkg_install_script.toml b/rules/macos/persistence_suspicious_file_creation_via_pkg_install_script.toml index fac9eb9b6..541eca18f 100644 --- a/rules/macos/persistence_suspicious_file_creation_via_pkg_install_script.toml +++ b/rules/macos/persistence_suspicious_file_creation_via_pkg_install_script.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -88,17 +88,35 @@ sequence by process.entity_id with maxspan=30s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Persistence" - id = "TA0003" - reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique]] - name = "Event Triggered Execution" - id = "T1546" - reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.016" +name = "Installer Packages" +reference = "https://attack.mitre.org/techniques/T1546/016/" - [[rule.threat.technique.subtechnique]] - name = "Installer Packages" - id = "T1546.016" - reference = "https://attack.mitre.org/techniques/T1546/016/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/persistence_via_atom_init_file_modification.toml b/rules/macos/persistence_via_atom_init_file_modification.toml index eff66a14b..20a55491f 100644 --- a/rules/macos/persistence_via_atom_init_file_modification.toml +++ b/rules/macos/persistence_via_atom_init_file_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,14 +102,18 @@ Atom, a popular text editor, allows customization via the `init.coffee` script, [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml index ca5bd4627..154da3648 100644 --- a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml +++ b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,26 +99,41 @@ AppleScript, a scripting language for macOS, automates tasks by controlling appl [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.004" +name = "Elevated Execution with Prompt" +reference = "https://attack.mitre.org/techniques/T1548/004/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml index f295bcc10..495b1af36 100644 --- a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml +++ b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,6 +104,7 @@ In macOS environments, the `security_authtrampoline` process is used to execute [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -113,27 +114,46 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.004" name = "Elevated Execution with Prompt" reference = "https://attack.mitre.org/techniques/T1548/004/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/macos/privilege_escalation_local_user_added_to_admin.toml b/rules/macos/privilege_escalation_local_user_added_to_admin.toml index 0b7b102ae..9652b050d 100644 --- a/rules/macos/privilege_escalation_local_user_added_to_admin.toml +++ b/rules/macos/privilege_escalation_local_user_added_to_admin.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,19 +101,28 @@ In macOS environments, tools like `dscl` and `dseditgroup` manage user group mem [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.003" name = "Local Accounts" reference = "https://attack.mitre.org/techniques/T1078/003/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/macos/privilege_escalation_user_added_to_admin_group.toml b/rules/macos/privilege_escalation_user_added_to_admin_group.toml index eb4046a40..70e4595fc 100644 --- a/rules/macos/privilege_escalation_user_added_to_admin_group.toml +++ b/rules/macos/privilege_escalation_user_added_to_admin_group.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/12" integration = ["jamf_protect"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2026/03/24" [transform] [[transform.investigate]] @@ -103,19 +103,28 @@ configuration where host.os.type == "macos" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.003" name = "Local Accounts" reference = "https://attack.mitre.org/techniques/T1078/003/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml index 677898f0c..6e0dfd194 100644 --- a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml +++ b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -116,14 +116,36 @@ DNS tunneling exploits the DNS protocol to covertly transmit data between a comp - Coordinate with IT and security teams to apply necessary patches and updates to the affected system to close any vulnerabilities exploited by the attacker.""" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.004" +name = "DNS" +reference = "https://attack.mitre.org/techniques/T1071/004/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml b/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml index bc5e9a057..f2fe9d6cf 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -119,19 +119,49 @@ DNS is crucial for translating domain names into IP addresses, enabling network - Update and enhance DNS monitoring rules to detect similar unusual DNS activity in the future, ensuring rapid identification and response to potential threats.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique.subtechnique]] id = "T1071.004" name = "DNS" reference = "https://attack.mitre.org/techniques/T1071/004/" - +[[rule.threat.technique]] +id = "T1568" +name = "Dynamic Resolution" +reference = "https://attack.mitre.org/techniques/T1568/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml index 390ff8b41..a48e00fa0 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -123,19 +123,36 @@ The 'Unusual Web Request' detection leverages machine learning to identify rare - Review and update firewall and intrusion detection/prevention system (IDS/IPS) rules to better detect and block uncommon URLs associated with command-and-control activities.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique.subtechnique]] id = "T1071.001" name = "Web Protocols" reference = "https://attack.mitre.org/techniques/T1071/001/" - +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1189" +name = "Drive-by Compromise" +reference = "https://attack.mitre.org/techniques/T1189/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml b/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml index 254e2a724..30ca95d7d 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/06/18" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -133,14 +133,23 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.001" +name = "Password Guessing" +reference = "https://attack.mitre.org/techniques/T1110/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml index e2c5d1237..9fad9a30e 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -135,14 +135,31 @@ The 'Spike in Logon Events' detection leverages machine learning to identify ano - Enhance monitoring and alerting mechanisms to detect similar spikes in logon events in the future, ensuring rapid response to potential threats.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml index 3305439fe..1e36cec12 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/06/18" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -127,22 +127,30 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.002" name = "Domain Accounts" @@ -153,10 +161,7 @@ id = "T1078.003" name = "Local Accounts" reference = "https://attack.mitre.org/techniques/T1078/003/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml index 999853954..fb80318ed 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -115,19 +115,31 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.005" name = "Cloud Instance Metadata API" reference = "https://attack.mitre.org/techniques/T1552/005/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1580" +name = "Cloud Infrastructure Discovery" +reference = "https://attack.mitre.org/techniques/T1580/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/ml/execution_ml_windows_anomalous_script.toml b/rules/ml/execution_ml_windows_anomalous_script.toml index af93615b6..300b73598 100644 --- a/rules/ml/execution_ml_windows_anomalous_script.toml +++ b/rules/ml/execution_ml_windows_anomalous_script.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -120,19 +120,36 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml b/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml index 0157a2de1..25ab0ac2b 100644 --- a/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml +++ b/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -132,14 +132,26 @@ Machine learning models analyze login patterns to identify atypical IP addresses - Implement IP whitelisting or geofencing rules to restrict access from unexpected locations, enhancing future detection and prevention.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml index b4a53fb62..d75624732 100644 --- a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml +++ b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -89,14 +89,31 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/ml/ml_high_count_events_for_a_host_name.toml b/rules/ml/ml_high_count_events_for_a_host_name.toml index 3af1d2417..4baed3cf7 100644 --- a/rules/ml/ml_high_count_events_for_a_host_name.toml +++ b/rules/ml/ml_high_count_events_for_a_host_name.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -95,23 +95,23 @@ The detection of a spike in host-based traffic leverages machine learning to ide [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - [[rule.threat.technique]] id = "T1041" name = "Exfiltration Over C2 Channel" reference = "https://attack.mitre.org/techniques/T1041/" -[[rule.threat]] -framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" [rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1498" @@ -123,28 +123,59 @@ id = "T1499" name = "Endpoint Denial of Service" reference = "https://attack.mitre.org/techniques/T1499/" +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/ml/ml_high_count_network_denies.toml b/rules/ml/ml_high_count_network_denies.toml index 39e7bd4d1..0cd21f75e 100644 --- a/rules/ml/ml_high_count_network_denies.toml +++ b/rules/ml/ml_high_count_network_denies.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -114,62 +114,67 @@ Firewalls and ACLs are critical in controlling network traffic, blocking unautho [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - [[rule.threat.technique]] id = "T1041" name = "Exfiltration Over C2 Channel" reference = "https://attack.mitre.org/techniques/T1041/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat.technique]] +id = "T1018" +name = "Remote System Discovery" +reference = "https://attack.mitre.org/techniques/T1018/" [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0043" -name = "Reconnaissance" -reference = "https://attack.mitre.org/tactics/TA0043/" - [[rule.threat.technique]] id = "T1590" name = "Gather Victim Network Information" reference = "https://attack.mitre.org/techniques/T1590/" -[[rule.threat]] -framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" [rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1498" @@ -181,3 +186,7 @@ id = "T1499" name = "Endpoint Denial of Service" reference = "https://attack.mitre.org/techniques/T1499/" +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/ml/ml_linux_anomalous_network_port_activity.toml b/rules/ml/ml_linux_anomalous_network_port_activity.toml index be92e900d..c6d68ce99 100644 --- a/rules/ml/ml_linux_anomalous_network_port_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_port_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -121,11 +121,6 @@ In Linux environments, network ports facilitate communication between applicatio [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" @@ -136,9 +131,24 @@ id = "T1571" name = "Non-Standard Port" reference = "https://attack.mitre.org/techniques/T1571/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1205" +name = "Traffic Signaling" +reference = "https://attack.mitre.org/techniques/T1205/" + +[[rule.threat.technique.subtechnique]] +id = "T1205.001" +name = "Port Knocking" +reference = "https://attack.mitre.org/techniques/T1205/001/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -147,13 +157,12 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - [[rule.threat.technique]] id = "T1041" name = "Exfiltration Over C2 Channel" reference = "https://attack.mitre.org/techniques/T1041/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/ml/ml_low_count_events_for_a_host_name.toml b/rules/ml/ml_low_count_events_for_a_host_name.toml index d2128f0bf..1e9be8d73 100644 --- a/rules/ml/ml_low_count_events_for_a_host_name.toml +++ b/rules/ml/ml_low_count_events_for_a_host_name.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -95,25 +95,30 @@ Host-based traffic monitoring is crucial for identifying anomalies in network ac [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat.technique]] +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" [[rule.threat.technique]] id = "T1499" name = "Endpoint Denial of Service" reference = "https://attack.mitre.org/techniques/T1499/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/ml/ml_packetbeat_rare_server_domain.toml b/rules/ml/ml_packetbeat_rare_server_domain.toml index 21d0d1aac..dd5fc5ab5 100644 --- a/rules/ml/ml_packetbeat_rare_server_domain.toml +++ b/rules/ml/ml_packetbeat_rare_server_domain.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -121,11 +121,6 @@ Machine learning models analyze network traffic to identify atypical domain name [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat.technique]] id = "T1566" name = "Phishing" @@ -141,6 +136,11 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -152,11 +152,6 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" @@ -167,16 +162,30 @@ id = "T1071.001" name = "Web Protocols" reference = "https://attack.mitre.org/techniques/T1071/001/" -[[rule.threat]] -framework = "MITRE ATT&CK" +[[rule.threat.technique.subtechnique]] +id = "T1071.004" +name = "DNS" +reference = "https://attack.mitre.org/techniques/T1071/004/" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" [rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1041" name = "Exfiltration Over C2 Channel" reference = "https://attack.mitre.org/techniques/T1041/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/ml/ml_rare_destination_country.toml b/rules/ml/ml_rare_destination_country.toml index 7c1f674b2..300ac8b85 100644 --- a/rules/ml/ml_rare_destination_country.toml +++ b/rules/ml/ml_rare_destination_country.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -118,11 +118,6 @@ Machine learning models analyze network logs to identify traffic to uncommon des [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat.technique]] id = "T1566" name = "Phishing" @@ -138,6 +133,11 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -149,11 +149,6 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" @@ -164,14 +159,14 @@ id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - [[rule.threat.technique]] id = "T1041" name = "Exfiltration Over C2 Channel" @@ -182,3 +177,30 @@ id = "T1048" name = "Exfiltration Over Alternative Protocol" reference = "https://attack.mitre.org/techniques/T1048/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.001" +name = "Malicious Link" +reference = "https://attack.mitre.org/techniques/T1204/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/ml/ml_spike_in_traffic_to_a_country.toml b/rules/ml/ml_spike_in_traffic_to_a_country.toml index 9c9c130f5..97ff791d5 100644 --- a/rules/ml/ml_spike_in_traffic_to_a_country.toml +++ b/rules/ml/ml_spike_in_traffic_to_a_country.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -118,52 +118,61 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - [[rule.threat.technique]] id = "T1041" name = "Exfiltration Over C2 Channel" reference = "https://attack.mitre.org/techniques/T1041/" -[[rule.threat]] -framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" [rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" - [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0043" -name = "Reconnaissance" -reference = "https://attack.mitre.org/tactics/TA0043/" - [[rule.threat.technique]] id = "T1595" name = "Active Scanning" reference = "https://attack.mitre.org/techniques/T1595/" +[[rule.threat.technique.subtechnique]] +id = "T1595.001" +name = "Scanning IP Blocks" +reference = "https://attack.mitre.org/techniques/T1595/001/" + +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" diff --git a/rules/ml/ml_windows_anomalous_network_activity.toml b/rules/ml/ml_windows_anomalous_network_activity.toml index 3df432d32..0f4ce5e16 100644 --- a/rules/ml/ml_windows_anomalous_network_activity.toml +++ b/rules/ml/ml_windows_anomalous_network_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -92,19 +92,24 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" @@ -121,26 +126,30 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - [[rule.threat.technique]] id = "T1041" name = "Exfiltration Over C2 Channel" reference = "https://attack.mitre.org/techniques/T1041/" +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/ml/persistence_ml_rare_process_by_host_windows.toml b/rules/ml/persistence_ml_rare_process_by_host_windows.toml index bea679b8e..9c3f5c00f 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_windows.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_windows.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/02/27" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -170,19 +170,36 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" + +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml index f498ba198..e075e166a 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -173,14 +173,41 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/ml/persistence_ml_windows_anomalous_service.toml b/rules/ml/persistence_ml_windows_anomalous_service.toml index de8216621..bf7341edc 100644 --- a/rules/ml/persistence_ml_windows_anomalous_service.toml +++ b/rules/ml/persistence_ml_windows_anomalous_service.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -118,19 +118,36 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" + +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml index 8485f372d..45c5273ac 100644 --- a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml +++ b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -119,8 +119,22 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.002" +name = "Domain Accounts" +reference = "https://attack.mitre.org/techniques/T1078/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.003" +name = "Local Accounts" +reference = "https://attack.mitre.org/techniques/T1078/003/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml index 8c04edd60..e8d45581e 100644 --- a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml +++ b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -123,19 +123,44 @@ Compilers transform source code into executable programs, a crucial step in soft - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1588" name = "Obtain Capabilities" reference = "https://attack.mitre.org/techniques/T1588/" + [[rule.threat.technique.subtechnique]] id = "T1588.001" name = "Malware" reference = "https://attack.mitre.org/techniques/T1588/001/" - - [rule.threat.tactic] id = "TA0042" name = "Resource Development" reference = "https://attack.mitre.org/tactics/TA0042/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1127/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/network/collection_fortigate_config_download.toml b/rules/network/collection_fortigate_config_download.toml index eaca75f0e..afe6bfcc8 100644 --- a/rules/network/collection_fortigate_config_download.toml +++ b/rules/network/collection_fortigate_config_download.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/28" integration = ["fortinet_fortigate"] maturity = "production" -updated_date = "2026/01/28" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -57,6 +57,7 @@ severity = "medium" tags = [ "Use Case: Threat Detection", "Tactic: Collection", + "Tactic: Credential Access", "Resources: Investigation Guide", "Domain: Network", "Data Source: Fortinet", @@ -74,18 +75,36 @@ any where event.dataset == "fortinet_fortigate.log" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1602" name = "Data from Configuration Repository" reference = "https://attack.mitre.org/techniques/T1602/" + [[rule.threat.technique.subtechnique]] id = "T1602.002" name = "Network Device Configuration Dump" reference = "https://attack.mitre.org/techniques/T1602/002/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/network/command_and_control_accepted_default_telnet_port_connection.toml b/rules/network/command_and_control_accepted_default_telnet_port_connection.toml index e586f7519..9f9657187 100644 --- a/rules/network/command_and_control_accepted_default_telnet_port_connection.toml +++ b/rules/network/command_and_control_accepted_default_telnet_port_connection.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw", "fortinet_fortigate", "sonicwall_firewall", "suricata"] maturity = "production" -updated_date = "2026/02/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,32 +104,43 @@ query = ''' [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/network/command_and_control_cobalt_strike_beacon.toml b/rules/network/command_and_control_cobalt_strike_beacon.toml index c5d168d66..9e8db1efd 100644 --- a/rules/network/command_and_control_cobalt_strike_beacon.toml +++ b/rules/network/command_and_control_cobalt_strike_beacon.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" integration = ["network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,24 +82,28 @@ query = ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + [[rule.threat.technique]] id = "T1568" name = "Dynamic Resolution" reference = "https://attack.mitre.org/techniques/T1568/" + [[rule.threat.technique.subtechnique]] id = "T1568.002" name = "Domain Generation Algorithms" reference = "https://attack.mitre.org/techniques/T1568/002/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml index 3e98f2fdb..10408f201 100644 --- a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml +++ b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/05" integration = ["network_traffic"] maturity = "production" -updated_date = "2025/04/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,19 +87,23 @@ query = ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique.subtechnique]] id = "T1071.001" name = "Web Protocols" reference = "https://attack.mitre.org/techniques/T1071/001/" - +[[rule.threat.technique]] +id = "T1573" +name = "Encrypted Channel" +reference = "https://attack.mitre.org/techniques/T1573/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/network/command_and_control_fin7_c2_behavior.toml b/rules/network/command_and_control_fin7_c2_behavior.toml index 038ab8322..3a265f93e 100644 --- a/rules/network/command_and_control_fin7_c2_behavior.toml +++ b/rules/network/command_and_control_fin7_c2_behavior.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -43,24 +43,28 @@ destination.domain:/[a-zA-Z]{4,5}\.(pw|us|club|info|site|top)/ AND NOT destinati [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + [[rule.threat.technique]] id = "T1568" name = "Dynamic Resolution" reference = "https://attack.mitre.org/techniques/T1568/" + [[rule.threat.technique.subtechnique]] id = "T1568.002" name = "Domain Generation Algorithms" reference = "https://attack.mitre.org/techniques/T1568/002/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/network/command_and_control_halfbaked_beacon.toml b/rules/network/command_and_control_halfbaked_beacon.toml index 1330bc275..38b3cbc3b 100644 --- a/rules/network/command_and_control_halfbaked_beacon.toml +++ b/rules/network/command_and_control_halfbaked_beacon.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" integration = ["network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,24 +80,28 @@ query = ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + [[rule.threat.technique]] id = "T1568" name = "Dynamic Resolution" reference = "https://attack.mitre.org/techniques/T1568/" + [[rule.threat.technique.subtechnique]] id = "T1568.002" name = "Domain Generation Algorithms" reference = "https://attack.mitre.org/techniques/T1568/002/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/network/command_and_control_nat_traversal_port_activity.toml b/rules/network/command_and_control_nat_traversal_port_activity.toml index e70052c7f..e7177215b 100644 --- a/rules/network/command_and_control_nat_traversal_port_activity.toml +++ b/rules/network/command_and_control_nat_traversal_port_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -75,8 +75,22 @@ IPSEC NAT Traversal facilitates secure VPN communication across NAT devices by e [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[[rule.threat.technique]] +id = "T1572" +name = "Protocol Tunneling" +reference = "https://attack.mitre.org/techniques/T1572/" + +[[rule.threat.technique]] +id = "T1573" +name = "Encrypted Channel" +reference = "https://attack.mitre.org/techniques/T1573/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/network/command_and_control_port_26_activity.toml b/rules/network/command_and_control_port_26_activity.toml index 2f2666613..6cde29db3 100644 --- a/rules/network/command_and_control_port_26_activity.toml +++ b/rules/network/command_and_control_port_26_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = [ risk_score = 21 rule_id = "d7e62693-aab9-4f66-a21a-3d79ecdd603d" severity = "low" -tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"] +tags = ["Tactic: Command and Control", "Tactic: Exfiltration", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -75,20 +75,35 @@ SMTP, typically operating on port 25, is crucial for email transmission. However [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.003" +name = "Mail Protocols" +reference = "https://attack.mitre.org/techniques/T1071/003/" + +[[rule.threat.technique]] +id = "T1571" +name = "Non-Standard Port" +reference = "https://attack.mitre.org/techniques/T1571/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1048" name = "Exfiltration Over Alternative Protocol" reference = "https://attack.mitre.org/techniques/T1048/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml index 1c67c535c..090339a81 100644 --- a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml +++ b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 47 rule_id = "8c1bdde8-4204-45c0-9e0c-c85ca3902488" severity = "medium" -tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"] +tags = ["Tactic: Command and Control", "Tactic: Lateral Movement", "Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"] timeline_id = "300afc76-072d-4261-864d-4149714bf3f1" timeline_title = "Comprehensive Network Timeline" timestamp_override = "event.ingested" @@ -117,28 +117,39 @@ framework = "MITRE ATT&CK" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml index bdb785082..c32898e1b 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 73 rule_id = "5700cb81-df44-46aa-a5d7-337798f53eb8" severity = "high" -tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"] +tags = ["Tactic: Command and Control", "Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -108,26 +108,31 @@ VNC allows remote control of systems, facilitating maintenance and resource shar [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1219" name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml index 99c927ca9..3c29ae4bf 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 47 rule_id = "3ad49c61-7adc-42c1-b788-732eda2f5abf" severity = "medium" -tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"] +tags = ["Tactic: Command and Control", "Tactic: Lateral Movement", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -109,14 +109,31 @@ VNC is a tool that allows remote control of computers, often used by administrat [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1219" name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.005" +name = "VNC" +reference = "https://attack.mitre.org/techniques/T1021/005/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/network/discovery_potential_network_sweep_detected.toml b/rules/network/discovery_potential_network_sweep_detected.toml index 0659815cb..823d7a5bd 100644 --- a/rules/network/discovery_potential_network_sweep_detected.toml +++ b/rules/network/discovery_potential_network_sweep_detected.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/17" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2026/02/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,6 +81,11 @@ Network sweeps are reconnaissance techniques where attackers scan networks to id [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1018" +name = "Remote System Discovery" +reference = "https://attack.mitre.org/techniques/T1018/" + [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" @@ -108,7 +113,6 @@ reference = "https://attack.mitre.org/techniques/T1595/001/" id = "TA0043" name = "Reconnaissance" reference = "https://attack.mitre.org/tactics/TA0043/" - [rule.threshold] field = ["source.ip"] value = 1 diff --git a/rules/network/initial_access_fortigate_sso_login_from_unusual_source.toml b/rules/network/initial_access_fortigate_sso_login_from_unusual_source.toml index 83e4f3cdf..d5d10c26a 100644 --- a/rules/network/initial_access_fortigate_sso_login_from_unusual_source.toml +++ b/rules/network/initial_access_fortigate_sso_login_from_unusual_source.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/28" integration = ["fortinet_fortigate"] maturity = "production" -updated_date = "2026/01/28" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -59,6 +59,7 @@ severity = "medium" tags = [ "Use Case: Threat Detection", "Tactic: Initial Access", + "Tactic: Credential Access", "Resources: Investigation Guide", "Domain: Network", "Domain: Identity", @@ -95,19 +96,41 @@ FROM logs-fortinet_fortigate.* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1606" +name = "Forge Web Credentials" +reference = "https://attack.mitre.org/techniques/T1606/" + +[[rule.threat.technique.subtechnique]] +id = "T1606.002" +name = "SAML Tokens" +reference = "https://attack.mitre.org/techniques/T1606/002/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml index 492129f62..1ee0865b2 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/03/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,14 +101,18 @@ RPC enables remote management and resource sharing, crucial for system administr [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml index 2072a632c..41a7b2452 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 73 rule_id = "32923416-763a-4531-bb35-f33b9232ecdb" severity = "high" -tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"] +tags = ["Tactic: Initial Access", "Tactic: Lateral Movement", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -100,14 +100,31 @@ RPC enables remote management and resource sharing across networks, crucial for [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.003" +name = "Distributed Component Object Model" +reference = "https://attack.mitre.org/techniques/T1021/003/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml index 18f1e6a95..c82adad47 100644 --- a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml +++ b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2026/01/07" +updated_date = "2026/04/01" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 47 rule_id = "c82b2bd8-d701-420c-ba43-f11a155b681a" severity = "medium" -tags = ["Tactic: Initial Access", "Domain: Network", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"] +tags = ["Tactic: Initial Access", "Tactic: Exfiltration", "Domain: Network", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/network/initial_access_unsecure_elasticsearch_node.toml b/rules/network/initial_access_unsecure_elasticsearch_node.toml index 3e4f65b72..9a2017960 100644 --- a/rules/network/initial_access_unsecure_elasticsearch_node.toml +++ b/rules/network/initial_access_unsecure_elasticsearch_node.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/11" integration = ["network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -66,7 +66,7 @@ references = [ risk_score = 47 rule_id = "31295df3-277b-4c56-a1fb-84e31b4222a9" severity = "medium" -tags = ["Use Case: Threat Detection", "Tactic: Initial Access", "Domain: Endpoint", "Resources: Investigation Guide"] +tags = ["Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Reconnaissance", "Domain: Endpoint", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -79,14 +79,26 @@ query = ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" + +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" diff --git a/rules/network/lateral_movement_dns_server_overflow.toml b/rules/network/lateral_movement_dns_server_overflow.toml index 38b0ec200..495662975 100644 --- a/rules/network/lateral_movement_dns_server_overflow.toml +++ b/rules/network/lateral_movement_dns_server_overflow.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" integration = ["network_traffic"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -65,6 +65,7 @@ severity = "medium" tags = [ "Use Case: Threat Detection", "Tactic: Lateral Movement", + "Tactic: Impact", "Resources: Investigation Guide", "Use Case: Vulnerability", ] @@ -79,14 +80,31 @@ query = ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1499" +name = "Endpoint Denial of Service" +reference = "https://attack.mitre.org/techniques/T1499/" + +[[rule.threat.technique.subtechnique]] +id = "T1499.004" +name = "Application or System Exploitation" +reference = "https://attack.mitre.org/techniques/T1499/004/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/network/persistence_fortigate_sso_login_followed_by_admin_creation.toml b/rules/network/persistence_fortigate_sso_login_followed_by_admin_creation.toml index 432f9d326..35bc46d96 100644 --- a/rules/network/persistence_fortigate_sso_login_followed_by_admin_creation.toml +++ b/rules/network/persistence_fortigate_sso_login_followed_by_admin_creation.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/28" integration = ["fortinet_fortigate"] maturity = "production" -updated_date = "2026/01/28" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -56,6 +56,7 @@ severity = "high" tags = [ "Use Case: Threat Detection", "Tactic: Persistence", + "Tactic: Initial Access", "Resources: Investigation Guide", "Domain: Network", "Domain: Identity", @@ -79,18 +80,31 @@ sequence by observer.name with maxspan=15m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" + [[rule.threat.technique.subtechnique]] id = "T1136.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/promotions/execution_endgame_exploit_detected.toml b/rules/promotions/execution_endgame_exploit_detected.toml index c74ed775d..a39b6038b 100644 --- a/rules/promotions/execution_endgame_exploit_detected.toml +++ b/rules/promotions/execution_endgame_exploit_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/03/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,20 +78,25 @@ Elastic Endgame is a security solution that monitors and detects exploit attempt [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/promotions/execution_endgame_exploit_prevented.toml b/rules/promotions/execution_endgame_exploit_prevented.toml index 9882090ac..4d457df5d 100644 --- a/rules/promotions/execution_endgame_exploit_prevented.toml +++ b/rules/promotions/execution_endgame_exploit_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/03/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,20 +80,25 @@ Elastic Endgame is a security solution designed to prevent exploits by monitorin [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml index da56645fb..6368ebe68 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/03/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -72,14 +72,18 @@ Elastic Endgame is a security solution that monitors and detects unauthorized ac [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" +[[rule.threat.technique.subtechnique]] +id = "T1134.001" +name = "Token Impersonation/Theft" +reference = "https://attack.mitre.org/techniques/T1134/001/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml index 9b43b081e..e9b282cff 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/03/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -72,14 +72,18 @@ Elastic Endgame is a security solution that prevents unauthorized access by moni [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" +[[rule.threat.technique.subtechnique]] +id = "T1134.001" +name = "Token Impersonation/Theft" +reference = "https://attack.mitre.org/techniques/T1134/001/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index 97ba3fb44..972be2ad5 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,6 +102,7 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1005" name = "Data from Local System" @@ -111,32 +112,36 @@ reference = "https://attack.mitre.org/techniques/T1005/" id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" + +[[rule.threat.technique.subtechnique]] +id = "T1114.001" +name = "Local Email Collection" +reference = "https://attack.mitre.org/techniques/T1114/001/" + [[rule.threat.technique.subtechnique]] id = "T1114.002" name = "Remote Email Collection" reference = "https://attack.mitre.org/techniques/T1114/002/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/collection_mailbox_export_winlog.toml b/rules/windows/collection_mailbox_export_winlog.toml index 90ae0bf3c..ba730e779 100644 --- a/rules/windows/collection_mailbox_export_winlog.toml +++ b/rules/windows/collection_mailbox_export_winlog.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/11" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/30" [rule] author = ["Elastic"] @@ -120,15 +120,27 @@ powershell.file.script_block_text : "New-MailboxExportRequest" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1005" name = "Data from Local System" reference = "https://attack.mitre.org/techniques/T1005/" +[[rule.threat.technique]] +id = "T1074" +name = "Data Staged" +reference = "https://attack.mitre.org/techniques/T1074/" + +[[rule.threat.technique.subtechnique]] +id = "T1074.001" +name = "Local Data Staging" +reference = "https://attack.mitre.org/techniques/T1074/001/" + [[rule.threat.technique]] id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" + [[rule.threat.technique.subtechnique]] id = "T1114.001" name = "Local Email Collection" @@ -139,13 +151,10 @@ id = "T1114.002" name = "Remote Email Collection" reference = "https://attack.mitre.org/techniques/T1114/002/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/collection_posh_audio_capture.toml b/rules/windows/collection_posh_audio_capture.toml index 3f922888c..3f57ec219 100644 --- a/rules/windows/collection_posh_audio_capture.toml +++ b/rules/windows/collection_posh_audio_capture.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/19" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -129,39 +129,52 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1123" name = "Audio Capture" reference = "https://attack.mitre.org/techniques/T1123/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique]] id = "T1106" name = "Native API" reference = "https://attack.mitre.org/techniques/T1106/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1120" +name = "Peripheral Device Discovery" +reference = "https://attack.mitre.org/techniques/T1120/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/command_and_control_certreq_postdata.toml b/rules/windows/command_and_control_certreq_postdata.toml index d2af75605..e546a3f7a 100644 --- a/rules/windows/command_and_control_certreq_postdata.toml +++ b/rules/windows/command_and_control_certreq_postdata.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -135,38 +135,49 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1567" name = "Exfiltration Over Web Service" reference = "https://attack.mitre.org/techniques/T1567/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index 516ca6219..2bd02b983 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/26" +updated_date = "2026/03/30" [transform] [[transform.investigate]] @@ -340,33 +340,57 @@ network where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1102" -name = "Web Service" -reference = "https://attack.mitre.org/techniques/T1102/" [[rule.threat.technique]] -id = "T1568" -name = "Dynamic Resolution" -reference = "https://attack.mitre.org/techniques/T1568/" +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique.subtechnique]] -id = "T1568.002" -name = "Domain Generation Algorithms" -reference = "https://attack.mitre.org/techniques/T1568/002/" +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" [[rule.threat.technique]] id = "T1090" name = "Proxy" reference = "https://attack.mitre.org/techniques/T1090/" + [[rule.threat.technique.subtechnique]] id = "T1090.002" name = "External Proxy" reference = "https://attack.mitre.org/techniques/T1090/002/" +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" + +[[rule.threat.technique.subtechnique]] +id = "T1102.001" +name = "Dead Drop Resolver" +reference = "https://attack.mitre.org/techniques/T1102/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1102.002" +name = "Bidirectional Communication" +reference = "https://attack.mitre.org/techniques/T1102/002/" + +[[rule.threat.technique]] +id = "T1568" +name = "Dynamic Resolution" +reference = "https://attack.mitre.org/techniques/T1568/" + +[[rule.threat.technique.subtechnique]] +id = "T1568.002" +name = "Domain Generation Algorithms" +reference = "https://attack.mitre.org/techniques/T1568/002/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -374,6 +398,7 @@ framework = "MITRE ATT&CK" id = "T1567" name = "Exfiltration Over Web Service" reference = "https://attack.mitre.org/techniques/T1567/" + [[rule.threat.technique.subtechnique]] id = "T1567.001" name = "Exfiltration to Code Repository" @@ -384,10 +409,12 @@ id = "T1567.002" name = "Exfiltration to Cloud Storage" reference = "https://attack.mitre.org/techniques/T1567/002/" - +[[rule.threat.technique.subtechnique]] +id = "T1567.003" +name = "Exfiltration to Text Storage Sites" +reference = "https://attack.mitre.org/techniques/T1567/003/" [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - diff --git a/rules/windows/command_and_control_dns_susp_tld.toml b/rules/windows/command_and_control_dns_susp_tld.toml index f4611ddfc..389874743 100644 --- a/rules/windows/command_and_control_dns_susp_tld.toml +++ b/rules/windows/command_and_control_dns_susp_tld.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/20" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,19 +87,41 @@ dns.question.name regex """.*\.(top|buzz|xyz|rest|ml|cf|gq|ga|onion|monster|cyou [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique.subtechnique]] id = "T1071.004" name = "DNS" reference = "https://attack.mitre.org/techniques/T1071/004/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1127/" + +[[rule.threat.technique.subtechnique]] +id = "T1127.001" +name = "MSBuild" +reference = "https://attack.mitre.org/techniques/T1127/001/" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/command_and_control_iexplore_via_com.toml b/rules/windows/command_and_control_iexplore_via_com.toml index a9db0f9e4..f04720d68 100644 --- a/rules/windows/command_and_control_iexplore_via_com.toml +++ b/rules/windows/command_and_control_iexplore_via_com.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,31 +89,59 @@ Internet Explorer can be manipulated via the Component Object Model (COM) to ini [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.004" +name = "DNS" +reference = "https://attack.mitre.org/techniques/T1071/004/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1559" name = "Inter-Process Communication" reference = "https://attack.mitre.org/techniques/T1559/" + [[rule.threat.technique.subtechnique]] id = "T1559.001" name = "Component Object Model" reference = "https://attack.mitre.org/techniques/T1559/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/command_and_control_multiple_rmm_vendors_same_host.toml b/rules/windows/command_and_control_multiple_rmm_vendors_same_host.toml index 8a0b48ac4..43d260908 100644 --- a/rules/windows/command_and_control_multiple_rmm_vendors_same_host.toml +++ b/rules/windows/command_and_control_multiple_rmm_vendors_same_host.toml @@ -9,7 +9,7 @@ integration = [ "crowdstrike", ] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/30" [rule] author = ["Elastic"] @@ -195,10 +195,12 @@ from logs-endpoint.events.process-*, endgame-*, logs-crowdstrike.fdr*, logs-m365 [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1219" name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" + [[rule.threat.technique.subtechnique]] id = "T1219.002" name = "Remote Desktop Software" diff --git a/rules/windows/command_and_control_new_terms_commonly_abused_rmm.toml b/rules/windows/command_and_control_new_terms_commonly_abused_rmm.toml index 04953eaf7..bc15bf40d 100644 --- a/rules/windows/command_and_control_new_terms_commonly_abused_rmm.toml +++ b/rules/windows/command_and_control_new_terms_commonly_abused_rmm.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/03" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/30" [rule] author = ["Elastic"] @@ -493,10 +493,12 @@ host.os.type: "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1219" name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" + [[rule.threat.technique.subtechnique]] id = "T1219.002" name = "Remote Desktop Software" @@ -506,7 +508,6 @@ reference = "https://attack.mitre.org/techniques/T1219/002/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id"] diff --git a/rules/windows/command_and_control_outlook_home_page.toml b/rules/windows/command_and_control_outlook_home_page.toml index e584f93e7..c4997d4fb 100644 --- a/rules/windows/command_and_control_outlook_home_page.toml +++ b/rules/windows/command_and_control_outlook_home_page.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/01" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -97,21 +97,26 @@ framework = "MITRE ATT&CK" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + [[rule.threat.technique]] id = "T1137" name = "Office Application Startup" reference = "https://attack.mitre.org/techniques/T1137/" + [[rule.threat.technique.subtechnique]] id = "T1137.004" name = "Outlook Home Page" reference = "https://attack.mitre.org/techniques/T1137/004/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/command_and_control_port_forwarding_added_registry.toml b/rules/windows/command_and_control_port_forwarding_added_registry.toml index 0e73d7b7a..51b0f50b6 100644 --- a/rules/windows/command_and_control_port_forwarding_added_registry.toml +++ b/rules/windows/command_and_control_port_forwarding_added_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,26 +95,36 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + +[[rule.threat.technique.subtechnique]] +id = "T1090.001" +name = "Internal Proxy" +reference = "https://attack.mitre.org/techniques/T1090/001/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/command_and_control_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml index 14e373d6b..b3e6cdf40 100644 --- a/rules/windows/command_and_control_rdp_tunnel_plink.toml +++ b/rules/windows/command_and_control_rdp_tunnel_plink.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/14" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,31 +91,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" + [[rule.threat.technique.subtechnique]] id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/command_and_control_remcos_rat_iocs.toml b/rules/windows/command_and_control_remcos_rat_iocs.toml index e7563a52d..9b9784c5f 100644 --- a/rules/windows/command_and_control_remcos_rat_iocs.toml +++ b/rules/windows/command_and_control_remcos_rat_iocs.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/20" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system"] maturity = "production" -updated_date = "2025/08/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,14 +91,49 @@ any where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1219" name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1070" +name = "Indicator Removal" +reference = "https://attack.mitre.org/techniques/T1070/" + +[[rule.threat.technique.subtechnique]] +id = "T1070.004" +name = "File Deletion" +reference = "https://attack.mitre.org/techniques/T1070/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.001" +name = "Registry Run Keys / Startup Folder" +reference = "https://attack.mitre.org/techniques/T1547/001/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/command_and_control_remote_file_copy_scripts.toml b/rules/windows/command_and_control_remote_file_copy_scripts.toml index 9042a919e..ff5739466 100644 --- a/rules/windows/command_and_control_remote_file_copy_scripts.toml +++ b/rules/windows/command_and_control_remote_file_copy_scripts.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -123,31 +123,36 @@ sequence by host.id, process.entity_id [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" - +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/command_and_control_screenconnect_childproc.toml b/rules/windows/command_and_control_screenconnect_childproc.toml index 8ae791c89..f7d5966fa 100644 --- a/rules/windows/command_and_control_screenconnect_childproc.toml +++ b/rules/windows/command_and_control_screenconnect_childproc.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/27" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,14 +107,107 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + [[rule.threat.technique]] id = "T1219" name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.007" +name = "Msiexec" +reference = "https://attack.mitre.org/techniques/T1218/007/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.005" +name = "Scheduled Task" +reference = "https://attack.mitre.org/techniques/T1053/005/" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/command_and_control_tool_transfer_via_curl.toml b/rules/windows/command_and_control_tool_transfer_via_curl.toml index 760413874..e7ad0618a 100644 --- a/rules/windows/command_and_control_tool_transfer_via_curl.toml +++ b/rules/windows/command_and_control_tool_transfer_via_curl.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/03" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,14 +108,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/windows/command_and_control_tunnel_cloudflared.toml b/rules/windows/command_and_control_tunnel_cloudflared.toml index 520433f13..eb025de67 100644 --- a/rules/windows/command_and_control_tunnel_cloudflared.toml +++ b/rules/windows/command_and_control_tunnel_cloudflared.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,6 +80,17 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + +[[rule.threat.technique.subtechnique]] +id = "T1090.002" +name = "External Proxy" +reference = "https://attack.mitre.org/techniques/T1090/002/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/windows/command_and_control_tunnel_yuze.toml b/rules/windows/command_and_control_tunnel_yuze.toml index a3a6314cc..cd3862339 100644 --- a/rules/windows/command_and_control_tunnel_yuze.toml +++ b/rules/windows/command_and_control_tunnel_yuze.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,6 +86,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" @@ -95,3 +101,21 @@ reference = "https://attack.mitre.org/techniques/T1572/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/command_and_control_velociraptor_shell_execution.toml b/rules/windows/command_and_control_velociraptor_shell_execution.toml index e3a239e97..8801cffc6 100644 --- a/rules/windows/command_and_control_velociraptor_shell_execution.toml +++ b/rules/windows/command_and_control_velociraptor_shell_execution.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -90,10 +90,12 @@ process where host.os.type == "windows" and event.type == "start" and process.co [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1219" name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" + [[rule.threat.technique.subtechnique]] id = "T1219.002" name = "Remote Desktop Software" @@ -104,3 +106,43 @@ id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/credential_access_browsers_unusual_parent.toml b/rules/windows/credential_access_browsers_unusual_parent.toml index 7ba940e2c..b02f77448 100644 --- a/rules/windows/credential_access_browsers_unusual_parent.toml +++ b/rules/windows/credential_access_browsers_unusual_parent.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/27" integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/08/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,10 +108,17 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1539" +name = "Steal Web Session Cookie" +reference = "https://attack.mitre.org/techniques/T1539/" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [[rule.threat.technique.subtechnique]] id = "T1555.003" name = "Credentials from Web Browsers" @@ -122,4 +129,15 @@ id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1185" +name = "Browser Session Hijacking" +reference = "https://attack.mitre.org/techniques/T1185/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/windows/credential_access_dcsync_user_backdoor.toml b/rules/windows/credential_access_dcsync_user_backdoor.toml index e22064817..4c78e191a 100644 --- a/rules/windows/credential_access_dcsync_user_backdoor.toml +++ b/rules/windows/credential_access_dcsync_user_backdoor.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/10" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,19 +106,31 @@ event.code:"5136" and host.os.type:"windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.006" name = "DCSync" reference = "https://attack.mitre.org/techniques/T1003/006/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/credential_access_disable_kerberos_preauth.toml b/rules/windows/credential_access_disable_kerberos_preauth.toml index f69365d6a..f71fe2879 100644 --- a/rules/windows/credential_access_disable_kerberos_preauth.toml +++ b/rules/windows/credential_access_disable_kerberos_preauth.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/24" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,48 +91,62 @@ any where host.os.type == "windows" and event.code == "4738" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" + [[rule.threat.technique.subtechnique]] id = "T1558.004" name = "AS-REP Roasting" reference = "https://attack.mitre.org/techniques/T1558/004/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/credential_access_dnsnode_creation.toml b/rules/windows/credential_access_dnsnode_creation.toml index 4dd21727d..4f3271ced 100644 --- a/rules/windows/credential_access_dnsnode_creation.toml +++ b/rules/windows/credential_access_dnsnode_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,14 +104,18 @@ any where host.os.type == "windows" and event.code == "5137" and winlog.event_da [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1557" name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" +[[rule.threat.technique.subtechnique]] +id = "T1557.001" +name = "LLMNR/NBT-NS Poisoning and SMB Relay" +reference = "https://attack.mitre.org/techniques/T1557/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/credential_access_dollar_account_relay_kerberos.toml b/rules/windows/credential_access_dollar_account_relay_kerberos.toml index 0a76152c2..0566e9d88 100644 --- a/rules/windows/credential_access_dollar_account_relay_kerberos.toml +++ b/rules/windows/credential_access_dollar_account_relay_kerberos.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/18" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/10/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,6 +106,7 @@ sequence by winlog.computer_name, source.ip with maxspan=5s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1187" name = "Forced Authentication" @@ -115,15 +116,26 @@ reference = "https://attack.mitre.org/techniques/T1187/" id = "T1557" name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" + [[rule.threat.technique.subtechnique]] id = "T1557.001" name = "LLMNR/NBT-NS Poisoning and SMB Relay" reference = "https://attack.mitre.org/techniques/T1557/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index 25f74db62..719a14ef0 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/13" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/30" [rule] author = ["Elastic"] @@ -57,24 +57,33 @@ file where host.os.type == "windows" and event.type != "deletion" and file.name [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + +[[rule.threat.technique.subtechnique]] +id = "T1003.003" +name = "NTDS" +reference = "https://attack.mitre.org/techniques/T1003/003/" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.004" name = "Private Keys" reference = "https://attack.mitre.org/techniques/T1552/004/" - [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index ad8287b96..025d8529f 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,14 +95,23 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml b/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml index cba252630..24bfc0ac8 100644 --- a/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml +++ b/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml @@ -2,7 +2,7 @@ creation_date = "2024/10/14" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Matteo Potito Giorgio"] @@ -99,14 +99,31 @@ not (?dll.code_signature.trusted == true or file.code_signature.status == "Valid [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.001" +name = "DLL" +reference = "https://attack.mitre.org/techniques/T1574/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/credential_access_kerberoasting_unusual_process.toml b/rules/windows/credential_access_kerberoasting_unusual_process.toml index 7f3932dce..e091bb385 100644 --- a/rules/windows/credential_access_kerberoasting_unusual_process.toml +++ b/rules/windows/credential_access_kerberoasting_unusual_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/02" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/30" [transform] [[transform.osquery]] @@ -168,14 +168,36 @@ network where host.os.type == "windows" and event.type == "start" and network.di [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" +[[rule.threat.technique.subtechnique]] +id = "T1558.003" +name = "Kerberoasting" +reference = "https://attack.mitre.org/techniques/T1558/003/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.003" +name = "Pass the Ticket" +reference = "https://attack.mitre.org/techniques/T1550/003/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/credential_access_kerberos_coerce.toml b/rules/windows/credential_access_kerberos_coerce.toml index 0ddf57939..8c9692a2d 100644 --- a/rules/windows/credential_access_kerberos_coerce.toml +++ b/rules/windows/credential_access_kerberos_coerce.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/14" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,24 +103,23 @@ host.os.type:"windows" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1557" -name = "Adversary-in-the-Middle" -reference = "https://attack.mitre.org/techniques/T1557/" -[[rule.threat.technique.subtechnique]] -id = "T1557.001" -name = "LLMNR/NBT-NS Poisoning and SMB Relay" -reference = "https://attack.mitre.org/techniques/T1557/001/" - [[rule.threat.technique]] id = "T1187" name = "Forced Authentication" reference = "https://attack.mitre.org/techniques/T1187/" +[[rule.threat.technique]] +id = "T1557" +name = "Adversary-in-the-Middle" +reference = "https://attack.mitre.org/techniques/T1557/" + +[[rule.threat.technique.subtechnique]] +id = "T1557.001" +name = "LLMNR/NBT-NS Poisoning and SMB Relay" +reference = "https://attack.mitre.org/techniques/T1557/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/credential_access_kerberos_coerce_dns.toml b/rules/windows/credential_access_kerberos_coerce_dns.toml index 0269e12bb..e9750ecd5 100644 --- a/rules/windows/credential_access_kerberos_coerce_dns.toml +++ b/rules/windows/credential_access_kerberos_coerce_dns.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/14" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/06/14" +updated_date = "2026/03/24" [transform] [[transform.investigate]] @@ -95,24 +95,23 @@ network where host.os.type == "windows" and dns.question.name : "*UWhRC*BAAAA*" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1557" -name = "Adversary-in-the-Middle" -reference = "https://attack.mitre.org/techniques/T1557/" -[[rule.threat.technique.subtechnique]] -id = "T1557.001" -name = "LLMNR/NBT-NS Poisoning and SMB Relay" -reference = "https://attack.mitre.org/techniques/T1557/001/" - [[rule.threat.technique]] id = "T1187" name = "Forced Authentication" reference = "https://attack.mitre.org/techniques/T1187/" +[[rule.threat.technique]] +id = "T1557" +name = "Adversary-in-the-Middle" +reference = "https://attack.mitre.org/techniques/T1557/" + +[[rule.threat.technique.subtechnique]] +id = "T1557.001" +name = "LLMNR/NBT-NS Poisoning and SMB Relay" +reference = "https://attack.mitre.org/techniques/T1557/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/credential_access_ldap_attributes.toml b/rules/windows/credential_access_ldap_attributes.toml index 9cb9ff680..d076bed63 100644 --- a/rules/windows/credential_access_ldap_attributes.toml +++ b/rules/windows/credential_access_ldap_attributes.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -118,6 +118,7 @@ any where host.os.type == "windows" and event.code == "4662" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" @@ -127,32 +128,49 @@ reference = "https://attack.mitre.org/techniques/T1003/" id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.004" name = "Private Keys" reference = "https://attack.mitre.org/techniques/T1552/004/" - +[[rule.threat.technique]] +id = "T1649" +name = "Steal or Forge Authentication Certificates" +reference = "https://attack.mitre.org/techniques/T1649/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/windows/credential_access_lsass_loaded_susp_dll.toml b/rules/windows/credential_access_lsass_loaded_susp_dll.toml index cb444a5b0..4f25fe6c2 100644 --- a/rules/windows/credential_access_lsass_loaded_susp_dll.toml +++ b/rules/windows/credential_access_lsass_loaded_susp_dll.toml @@ -2,7 +2,7 @@ creation_date = "2022/12/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -142,19 +142,36 @@ The Local Security Authority Subsystem Service (LSASS) is crucial for managing s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.001" name = "LSASS Memory" reference = "https://attack.mitre.org/techniques/T1003/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.005" +name = "Security Support Provider" +reference = "https://attack.mitre.org/techniques/T1547/005/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/credential_access_machine_account_smb_relay.toml b/rules/windows/credential_access_machine_account_smb_relay.toml index 74eb4c912..4fddce0ca 100644 --- a/rules/windows/credential_access_machine_account_smb_relay.toml +++ b/rules/windows/credential_access_machine_account_smb_relay.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/16" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,6 +82,7 @@ file where host.os.type == "windows" and event.code == "5145" and endswith(user. [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1187" name = "Forced Authentication" @@ -91,15 +92,31 @@ reference = "https://attack.mitre.org/techniques/T1187/" id = "T1557" name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" + [[rule.threat.technique.subtechnique]] id = "T1557.001" name = "LLMNR/NBT-NS Poisoning and SMB Relay" reference = "https://attack.mitre.org/techniques/T1557/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.002" +name = "SMB/Windows Admin Shares" +reference = "https://attack.mitre.org/techniques/T1021/002/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index cbc58475e..8b7aa352c 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -96,14 +96,36 @@ file where host.os.type == "windows" and file.name : "mimilsa.log" and process.n [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.005" +name = "Security Support Provider" +reference = "https://attack.mitre.org/techniques/T1547/005/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/credential_access_mimikatz_powershell_module.toml b/rules/windows/credential_access_mimikatz_powershell_module.toml index 19d4c6879..6366fd233 100644 --- a/rules/windows/credential_access_mimikatz_powershell_module.toml +++ b/rules/windows/credential_access_mimikatz_powershell_module.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -135,22 +135,44 @@ powershell.file.script_block_text:( [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.001" name = "LSASS Memory" reference = "https://attack.mitre.org/techniques/T1003/001/" - +[[rule.threat.technique]] +id = "T1649" +name = "Steal or Forge Authentication Certificates" +reference = "https://attack.mitre.org/techniques/T1649/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index d54be2d33..03fe54854 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,19 +100,31 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.001" name = "LSASS Memory" reference = "https://attack.mitre.org/techniques/T1003/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/credential_access_moving_registry_hive_via_smb.toml b/rules/windows/credential_access_moving_registry_hive_via_smb.toml index 7dc0c02f2..9c4ed0a37 100644 --- a/rules/windows/credential_access_moving_registry_hive_via_smb.toml +++ b/rules/windows/credential_access_moving_registry_hive_via_smb.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/16" integration = ["endpoint"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,36 +83,49 @@ file where host.os.type == "windows" and event.type == "creation" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.002" name = "Security Account Manager" reference = "https://attack.mitre.org/techniques/T1003/002/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml index 3f82b5ebb..a66e6cacb 100644 --- a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml +++ b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/18" integration = ["endpoint", "m365_defender", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -151,26 +151,31 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.008" +name = "Network Provider DLL" +reference = "https://attack.mitre.org/techniques/T1556/008/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/credential_access_posh_invoke_ninjacopy.toml b/rules/windows/credential_access_posh_invoke_ninjacopy.toml index 756fcb25e..0713a1dcf 100644 --- a/rules/windows/credential_access_posh_invoke_ninjacopy.toml +++ b/rules/windows/credential_access_posh_invoke_ninjacopy.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/23" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -142,10 +142,12 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.002" name = "Security Account Manager" @@ -156,43 +158,51 @@ id = "T1003.003" name = "NTDS" reference = "https://attack.mitre.org/techniques/T1003/003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.004" +name = "LSA Secrets" +reference = "https://attack.mitre.org/techniques/T1003/004/" +[[rule.threat.technique.subtechnique]] +id = "T1003.005" +name = "Cached Domain Credentials" +reference = "https://attack.mitre.org/techniques/T1003/005/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1006" name = "Direct Volume Access" reference = "https://attack.mitre.org/techniques/T1006/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/credential_access_posh_kerb_ticket_dump.toml b/rules/windows/credential_access_posh_kerb_ticket_dump.toml index 8039fe58c..2050fa06d 100644 --- a/rules/windows/credential_access_posh_kerb_ticket_dump.toml +++ b/rules/windows/credential_access_posh_kerb_ticket_dump.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/26" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -126,40 +126,49 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.001" +name = "LSASS Memory" +reference = "https://attack.mitre.org/techniques/T1003/001/" + [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - +[[rule.threat.technique]] +id = "T1106" +name = "Native API" +reference = "https://attack.mitre.org/techniques/T1106/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/credential_access_posh_relay_tools.toml b/rules/windows/credential_access_posh_relay_tools.toml index 87be03b98..22fae39b3 100644 --- a/rules/windows/credential_access_posh_relay_tools.toml +++ b/rules/windows/credential_access_posh_relay_tools.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/27" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,52 +125,57 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1557" name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" +[[rule.threat.technique.subtechnique]] +id = "T1557.001" +name = "LLMNR/NBT-NS Poisoning and SMB Relay" +reference = "https://attack.mitre.org/techniques/T1557/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.002" name = "Pass the Hash" reference = "https://attack.mitre.org/techniques/T1550/002/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/credential_access_posh_veeam_sql.toml b/rules/windows/credential_access_posh_veeam_sql.toml index fa457a50f..320d82c2d 100644 --- a/rules/windows/credential_access_posh_veeam_sql.toml +++ b/rules/windows/credential_access_posh_veeam_sql.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/14" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -140,6 +140,7 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" @@ -150,30 +151,41 @@ id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/credential_access_rare_webdav_destination.toml b/rules/windows/credential_access_rare_webdav_destination.toml index 89cddbac0..41ab73ef4 100644 --- a/rules/windows/credential_access_rare_webdav_destination.toml +++ b/rules/windows/credential_access_rare_webdav_destination.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/28" integration = ["endpoint", "system", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/01/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,14 +87,31 @@ from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-sys [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1187" name = "Forced Authentication" reference = "https://attack.mitre.org/techniques/T1187/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/credential_access_regback_sam_security_hives.toml b/rules/windows/credential_access_regback_sam_security_hives.toml index 45500f46a..711ea0363 100644 --- a/rules/windows/credential_access_regback_sam_security_hives.toml +++ b/rules/windows/credential_access_regback_sam_security_hives.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/01" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -79,10 +79,12 @@ file where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.002" name = "Security Account Manager" @@ -93,7 +95,10 @@ id = "T1003.004" name = "LSA Secrets" reference = "https://attack.mitre.org/techniques/T1003/004/" - +[[rule.threat.technique.subtechnique]] +id = "T1003.005" +name = "Cached Domain Credentials" +reference = "https://attack.mitre.org/techniques/T1003/005/" [rule.threat.tactic] id = "TA0006" diff --git a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml index bb46707c1..0f9a40028 100644 --- a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml +++ b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml @@ -2,7 +2,7 @@ creation_date = "2022/04/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,31 +100,41 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1187" +name = "Forced Authentication" +reference = "https://attack.mitre.org/techniques/T1187/" + [[rule.threat.technique]] id = "T1212" name = "Exploitation for Credential Access" reference = "https://attack.mitre.org/techniques/T1212/" +[[rule.threat.technique]] +id = "T1557" +name = "Adversary-in-the-Middle" +reference = "https://attack.mitre.org/techniques/T1557/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.011" name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/credential_access_shadow_credentials.toml b/rules/windows/credential_access_shadow_credentials.toml index f2acb0609..a3571a461 100644 --- a/rules/windows/credential_access_shadow_credentials.toml +++ b/rules/windows/credential_access_shadow_credentials.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,14 +107,26 @@ event.code:"5136" and host.os.type:"windows" and winlog.event_data.AttributeLDAP [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/credential_access_spn_attribute_modified.toml b/rules/windows/credential_access_spn_attribute_modified.toml index f7b5e02f1..676de53b1 100644 --- a/rules/windows/credential_access_spn_attribute_modified.toml +++ b/rules/windows/credential_access_spn_attribute_modified.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/22" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,19 +106,31 @@ event.code:5136 and host.os.type:"windows" and winlog.event_data.OperationType:" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" + [[rule.threat.technique.subtechnique]] id = "T1558.003" name = "Kerberoasting" reference = "https://attack.mitre.org/techniques/T1558/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml index a1e9768b4..dc5054e53 100644 --- a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml +++ b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/17" integration = ["windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -137,36 +137,46 @@ sequence by process.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.001" name = "LSASS Memory" reference = "https://attack.mitre.org/techniques/T1003/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.003" +name = "Rename Legitimate Utilities" +reference = "https://attack.mitre.org/techniques/T1036/003/" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.011" name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml index e63eabdab..5fb6a32c5 100644 --- a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml +++ b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/16" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,10 +108,12 @@ sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan= [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.002" name = "Security Account Manager" @@ -122,22 +124,25 @@ id = "T1003.004" name = "LSA Secrets" reference = "https://attack.mitre.org/techniques/T1003/004/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.002" +name = "SMB/Windows Admin Shares" +reference = "https://attack.mitre.org/techniques/T1021/002/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml index a019bfa0a..b8650e2ef 100644 --- a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml +++ b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml @@ -2,7 +2,7 @@ creation_date = "2021/12/25" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -124,10 +124,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.002" name = "Security Account Manager" @@ -138,10 +140,20 @@ id = "T1003.003" name = "NTDS" reference = "https://attack.mitre.org/techniques/T1003/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1006" +name = "Direct Volume Access" +reference = "https://attack.mitre.org/techniques/T1006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/credential_access_veeam_commands.toml b/rules/windows/credential_access_veeam_commands.toml index 26d95dd35..2895e6e80 100644 --- a/rules/windows/credential_access_veeam_commands.toml +++ b/rules/windows/credential_access_veeam_commands.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/14" integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,6 +94,7 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" @@ -104,26 +105,38 @@ id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/windows/credential_access_web_config_file_access.toml b/rules/windows/credential_access_web_config_file_access.toml index e8bd3d77a..e3ea0ffc9 100644 --- a/rules/windows/credential_access_web_config_file_access.toml +++ b/rules/windows/credential_access_web_config_file_access.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/23" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -79,18 +79,39 @@ event.category:file and host.os.type:windows and event.action:open and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable", "user.id"] diff --git a/rules/windows/credential_access_wireless_creds_dumping.toml b/rules/windows/credential_access_wireless_creds_dumping.toml index fb7134167..efaef16ac 100644 --- a/rules/windows/credential_access_wireless_creds_dumping.toml +++ b/rules/windows/credential_access_wireless_creds_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/01" integration = ["endpoint", "system", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/30" [transform] [[transform.osquery]] @@ -123,31 +123,41 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/defense_evasion_amsi_bypass_powershell.toml b/rules/windows/defense_evasion_amsi_bypass_powershell.toml index f239ebb7b..61813c4a8 100644 --- a/rules/windows/defense_evasion_amsi_bypass_powershell.toml +++ b/rules/windows/defense_evasion_amsi_bypass_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -132,39 +132,49 @@ event.category:"process" and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index c2f04f5a8..50a42f7e7 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -98,24 +98,28 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" + [[rule.threat.technique.subtechnique]] id = "T1070.001" name = "Clear Windows Event Logs" reference = "https://attack.mitre.org/techniques/T1070/001/" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.002" name = "Disable Windows Event Logging" reference = "https://attack.mitre.org/techniques/T1562/002/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml b/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml index bbf8c289d..aa8288996 100644 --- a/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml +++ b/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/04" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -237,10 +237,12 @@ Communication apps like Slack, WebEx, and Teams are integral to modern workflows [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -251,27 +253,38 @@ id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1554" name = "Compromise Host Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_create_mod_root_certificate.toml b/rules/windows/defense_evasion_create_mod_root_certificate.toml index 3560277bb..514692fc0 100644 --- a/rules/windows/defense_evasion_create_mod_root_certificate.toml +++ b/rules/windows/defense_evasion_create_mod_root_certificate.toml @@ -2,7 +2,7 @@ creation_date = "2021/02/01" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/08/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -154,19 +154,31 @@ registry where host.os.type == "windows" and event.type == "change" and registry [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1553" name = "Subvert Trust Controls" reference = "https://attack.mitre.org/techniques/T1553/" + [[rule.threat.technique.subtechnique]] id = "T1553.004" name = "Install Root Certificate" reference = "https://attack.mitre.org/techniques/T1553/004/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1557" +name = "Adversary-in-the-Middle" +reference = "https://attack.mitre.org/techniques/T1557/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/windows/defense_evasion_disable_nla.toml b/rules/windows/defense_evasion_disable_nla.toml index a3daa0e4c..e808563ba 100644 --- a/rules/windows/defense_evasion_disable_nla.toml +++ b/rules/windows/defense_evasion_disable_nla.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/25" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,6 +92,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and regi [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" @@ -102,9 +103,30 @@ id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.010" +name = "Downgrade Attack" +reference = "https://attack.mitre.org/techniques/T1562/010/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index e6b5d1487..8efcca4ce 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -90,36 +90,76 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" + [[rule.threat.technique.subtechnique]] id = "T1027.004" name = "Compile After Delivery" reference = "https://attack.mitre.org/techniques/T1027/004/" +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1127/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.003" +name = "CMSTP" +reference = "https://attack.mitre.org/techniques/T1218/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" - +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml index e9ad302d9..0ac8e7710 100644 --- a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,19 +91,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.004" name = "Disable or Modify System Firewall" reference = "https://attack.mitre.org/techniques/T1562/004/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml index 2cc57b1fc..23c029f86 100644 --- a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml +++ b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -138,14 +138,26 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1129" +name = "Shared Modules" +reference = "https://attack.mitre.org/techniques/T1129/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index 93810f621..c5fd16c25 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -119,26 +119,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" + [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index 078583b84..d9184a4ec 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,27 +87,40 @@ host.os.type:windows and event.category:process and event.type:start and ( [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" + [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -123,13 +136,15 @@ id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" - +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id"] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index c2e91fd65..08c29c23c 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,26 +91,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" + [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index ba363f8f5..83083001b 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2026/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -88,32 +88,49 @@ process.name:("csc.exe" or "iexplore.exe" or "powershell.exe") [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" + [[rule.threat.technique.subtechnique]] id = "T1027.004" name = "Compile After Delivery" reference = "https://attack.mitre.org/techniques/T1027/004/" - [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" + [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["host.id"] diff --git a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml index e1eaae3f8..4bc03f720 100644 --- a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml +++ b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Dennis Perto"] @@ -106,19 +106,33 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.003" +name = "Rename Legitimate Utilities" +reference = "https://attack.mitre.org/techniques/T1036/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.001" name = "DLL" reference = "https://attack.mitre.org/techniques/T1574/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml index 628a39d09..2adf52c0c 100644 --- a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml +++ b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,6 +85,17 @@ registry where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + +[[rule.threat.technique.subtechnique]] +id = "T1027.013" +name = "Encrypted/Encoded File" +reference = "https://attack.mitre.org/techniques/T1027/013/" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" @@ -95,9 +106,7 @@ id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index 1f7de5422..608e97c8b 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/30" [rule] author = ["Elastic"] @@ -89,19 +89,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.002" name = "Disable Windows Event Logging" reference = "https://attack.mitre.org/techniques/T1562/002/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_indirect_exec_conhost.toml b/rules/windows/defense_evasion_indirect_exec_conhost.toml index 12330d28d..2bf8c9b53 100644 --- a/rules/windows/defense_evasion_indirect_exec_conhost.toml +++ b/rules/windows/defense_evasion_indirect_exec_conhost.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/21" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/21" +updated_date = "2026/03/30" [rule] author = ["Elastic"] @@ -80,14 +80,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1202" name = "Indirect Command Execution" reference = "https://attack.mitre.org/techniques/T1202/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_indirect_exec_openssh.toml b/rules/windows/defense_evasion_indirect_exec_openssh.toml index 0e3563dde..2ab97f6ee 100644 --- a/rules/windows/defense_evasion_indirect_exec_openssh.toml +++ b/rules/windows/defense_evasion_indirect_exec_openssh.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/21" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/21" +updated_date = "2026/03/30" [rule] author = ["Elastic"] @@ -80,14 +80,13 @@ process where host.os.type == "windows" and event.type == "start" and process.na [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1202" name = "Indirect Command Execution" reference = "https://attack.mitre.org/techniques/T1202/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml b/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml index bc19ee7ef..760a67eeb 100644 --- a/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml +++ b/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/24" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/08/28" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,14 +95,23 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_lsass_ppl_disabled_registry.toml b/rules/windows/defense_evasion_lsass_ppl_disabled_registry.toml index 6f434c174..666ad8bda 100644 --- a/rules/windows/defense_evasion_lsass_ppl_disabled_registry.toml +++ b/rules/windows/defense_evasion_lsass_ppl_disabled_registry.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/27" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/02/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,6 +92,7 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" @@ -101,14 +102,31 @@ reference = "https://attack.mitre.org/techniques/T1112/" id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + +[[rule.threat.technique.subtechnique]] +id = "T1003.001" +name = "LSASS Memory" +reference = "https://attack.mitre.org/techniques/T1003/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index 47bf071a3..00ea4e6ed 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -111,19 +111,28 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" +[[rule.threat.technique.subtechnique]] +id = "T1055.012" +name = "Process Hollowing" +reference = "https://attack.mitre.org/techniques/T1055/012/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index 182bab159..749e89527 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["endpoint", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/09/01" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -128,19 +128,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.003" name = "Rename Legitimate Utilities" reference = "https://attack.mitre.org/techniques/T1036/003/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.010" +name = "AutoHotKey & AutoIT" +reference = "https://attack.mitre.org/techniques/T1059/010/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_microsoft_defender_tampering.toml b/rules/windows/defense_evasion_microsoft_defender_tampering.toml index 2b7315a79..7e8e3addb 100644 --- a/rules/windows/defense_evasion_microsoft_defender_tampering.toml +++ b/rules/windows/defense_evasion_microsoft_defender_tampering.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Austin Songer"] @@ -140,6 +140,7 @@ registry where host.os.type == "windows" and event.type == "change" and process. [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" @@ -150,9 +151,12 @@ id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_msbuild_making_network_connections.toml b/rules/windows/defense_evasion_msbuild_making_network_connections.toml index 5f9e89575..0a7daa1af 100644 --- a/rules/windows/defense_evasion_msbuild_making_network_connections.toml +++ b/rules/windows/defense_evasion_msbuild_making_network_connections.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -146,19 +146,31 @@ sequence by process.entity_id with maxspan=30s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" + [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/windows/defense_evasion_mshta_susp_child.toml b/rules/windows/defense_evasion_mshta_susp_child.toml index 2d5a06f7b..bbf270aa6 100644 --- a/rules/windows/defense_evasion_mshta_susp_child.toml +++ b/rules/windows/defense_evasion_mshta_susp_child.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -93,19 +93,51 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.005" name = "Mshta" reference = "https://attack.mitre.org/techniques/T1218/005/" +[[rule.threat.technique.subtechnique]] +id = "T1218.007" +name = "Msiexec" +reference = "https://attack.mitre.org/techniques/T1218/007/" +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_msiexec_remote_payload.toml b/rules/windows/defense_evasion_msiexec_remote_payload.toml index ba656ec2c..7d4242385 100644 --- a/rules/windows/defense_evasion_msiexec_remote_payload.toml +++ b/rules/windows/defense_evasion_msiexec_remote_payload.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,19 +92,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.007" name = "Msiexec" reference = "https://attack.mitre.org/techniques/T1218/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/windows/defense_evasion_msxsl_network.toml b/rules/windows/defense_evasion_msxsl_network.toml index b4eaa6909..04e635393 100644 --- a/rules/windows/defense_evasion_msxsl_network.toml +++ b/rules/windows/defense_evasion_msxsl_network.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,14 +85,26 @@ sequence by process.entity_id [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1220" name = "XSL Script Processing" reference = "https://attack.mitre.org/techniques/T1220/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml index 1d2398731..84e34022c 100644 --- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/09/01" +updated_date = "2026/03/30" [transform] [[transform.osquery]] @@ -166,34 +166,68 @@ sequence by process.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" + [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.002" +name = "Control Panel" +reference = "https://attack.mitre.org/techniques/T1218/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.003" +name = "CMSTP" +reference = "https://attack.mitre.org/techniques/T1218/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.004" +name = "InstallUtil" +reference = "https://attack.mitre.org/techniques/T1218/004/" + [[rule.threat.technique.subtechnique]] id = "T1218.005" name = "Mshta" reference = "https://attack.mitre.org/techniques/T1218/005/" +[[rule.threat.technique.subtechnique]] +id = "T1218.007" +name = "Msiexec" +reference = "https://attack.mitre.org/techniques/T1218/007/" +[[rule.threat.technique.subtechnique]] +id = "T1218.008" +name = "Odbcconf" +reference = "https://attack.mitre.org/techniques/T1218/008/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml index 7e8558da5..bf0b6c60d 100644 --- a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml +++ b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/01" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -109,36 +109,46 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.002" +name = "Bypass User Account Control" +reference = "https://attack.mitre.org/techniques/T1548/002/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.002" name = "Pass the Hash" reference = "https://attack.mitre.org/techniques/T1550/002/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/defense_evasion_posh_assembly_load.toml b/rules/windows/defense_evasion_posh_assembly_load.toml index b21cc5070..4b9f5f88a 100644 --- a/rules/windows/defense_evasion_posh_assembly_load.toml +++ b/rules/windows/defense_evasion_posh_assembly_load.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -148,10 +148,12 @@ value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Prot [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [[rule.threat.technique.subtechnique]] id = "T1055.001" name = "Dynamic-link Library Injection" @@ -162,35 +164,38 @@ id = "T1055.002" name = "Portable Executable Injection" reference = "https://attack.mitre.org/techniques/T1055/002/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" [[rule.threat.technique]] id = "T1620" name = "Reflective Code Loading" reference = "https://attack.mitre.org/techniques/T1620/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_compressed.toml b/rules/windows/defense_evasion_posh_compressed.toml index 1af9d0caf..c012fa70c 100644 --- a/rules/windows/defense_evasion_posh_compressed.toml +++ b/rules/windows/defense_evasion_posh_compressed.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/19" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -149,39 +149,44 @@ value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Prot [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.015" +name = "Compression" +reference = "https://attack.mitre.org/techniques/T1027/015/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_encryption.toml b/rules/windows/defense_evasion_posh_encryption.toml index c5e38dabe..9119cddd7 100644 --- a/rules/windows/defense_evasion_posh_encryption.toml +++ b/rules/windows/defense_evasion_posh_encryption.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/23" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -140,22 +140,39 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.013" +name = "Encrypted/Encoded File" +reference = "https://attack.mitre.org/techniques/T1027/013/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1486" +name = "Data Encrypted for Impact" +reference = "https://attack.mitre.org/techniques/T1486/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_high_entropy.toml b/rules/windows/defense_evasion_posh_high_entropy.toml index 4519eaa50..1c33761d1 100644 --- a/rules/windows/defense_evasion_posh_high_entropy.toml +++ b/rules/windows/defense_evasion_posh_high_entropy.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/08" integration = ["windows"] maturity = "production" -updated_date = "2026/01/08" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -142,40 +142,44 @@ value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Prot [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation.toml b/rules/windows/defense_evasion_posh_obfuscation.toml index 3f18767f3..ad0f576c6 100644 --- a/rules/windows/defense_evasion_posh_obfuscation.toml +++ b/rules/windows/defense_evasion_posh_obfuscation.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/03" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,36 +122,41 @@ value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Prot [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_posh_obfuscation_backtick.toml b/rules/windows/defense_evasion_posh_obfuscation_backtick.toml index 98b2aa03b..593600d75 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_backtick.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_backtick.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/15" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -167,39 +167,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml b/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml index 8f1bd286c..5b4f541ef 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -151,39 +151,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml b/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml index c138be71e..c13cd36ba 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -134,39 +134,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml b/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml index 4b1409da8..3d73602c1 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/15" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -161,39 +161,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml b/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml index 9f3f14ce7..b9785e0c3 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -147,39 +147,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml b/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml index 68743a181..1a012eb64 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -149,39 +149,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml b/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml index 7ee84b163..fd336eafc 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -163,39 +163,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml b/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml index f876139f3..13a9aad74 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -144,39 +144,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml b/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml index c8686112b..665b435f5 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -153,39 +153,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml b/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml index ef57939e4..2dbcf2f1a 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -152,39 +152,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_string_format.toml b/rules/windows/defense_evasion_posh_obfuscation_string_format.toml index c92ccaac1..43d8fd31d 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_string_format.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_string_format.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/03" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -174,39 +174,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml b/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml index eea41de37..b681c674f 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -167,39 +167,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_process_injection.toml b/rules/windows/defense_evasion_posh_process_injection.toml index 26f468995..a97fe1e9e 100644 --- a/rules/windows/defense_evasion_posh_process_injection.toml +++ b/rules/windows/defense_evasion_posh_process_injection.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/14" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/30" [rule] author = ["Elastic"] @@ -139,10 +139,12 @@ value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Prot [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [[rule.threat.technique.subtechnique]] id = "T1055.001" name = "Dynamic-link Library Injection" @@ -153,35 +155,43 @@ id = "T1055.002" name = "Portable Executable Injection" reference = "https://attack.mitre.org/techniques/T1055/002/" +[[rule.threat.technique.subtechnique]] +id = "T1055.003" +name = "Thread Execution Hijacking" +reference = "https://attack.mitre.org/techniques/T1055/003/" +[[rule.threat.technique.subtechnique]] +id = "T1055.004" +name = "Asynchronous Procedure Call" +reference = "https://attack.mitre.org/techniques/T1055/004/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique]] id = "T1106" name = "Native API" reference = "https://attack.mitre.org/techniques/T1106/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml index 0bb678f64..f388d5379 100644 --- a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml +++ b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/31" integration = ["endpoint", "windows", "m365_defender", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,14 +110,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.003" +name = "Rename Legitimate Utilities" +reference = "https://attack.mitre.org/techniques/T1036/003/" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml b/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml index d3516cd51..74bb37e81 100644 --- a/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml +++ b/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/31" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/10/07" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,31 +94,36 @@ registry where host.os.type == "windows" and event.type == "change" and registry [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1557" name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/defense_evasion_regmod_remotemonologue.toml b/rules/windows/defense_evasion_regmod_remotemonologue.toml index 7aba4b1f6..8bf18cae2 100644 --- a/rules/windows/defense_evasion_regmod_remotemonologue.toml +++ b/rules/windows/defense_evasion_regmod_remotemonologue.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2025/09/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -118,6 +118,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" @@ -128,9 +129,25 @@ id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.015" +name = "Component Object Model Hijacking" +reference = "https://attack.mitre.org/techniques/T1546/015/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/defense_evasion_sccm_scnotification_dll.toml b/rules/windows/defense_evasion_sccm_scnotification_dll.toml index 2e9bde60d..9091ea5c3 100644 --- a/rules/windows/defense_evasion_sccm_scnotification_dll.toml +++ b/rules/windows/defense_evasion_sccm_scnotification_dll.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/17" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -74,14 +74,18 @@ CcmExec, part of Microsoft's System Center Configuration Manager, manages client [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.001" +name = "DLL" +reference = "https://attack.mitre.org/techniques/T1574/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_script_via_html_app.toml b/rules/windows/defense_evasion_script_via_html_app.toml index 79779d38a..b170725e2 100644 --- a/rules/windows/defense_evasion_script_via_html_app.toml +++ b/rules/windows/defense_evasion_script_via_html_app.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/09" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/09/01" +updated_date = "2026/03/24" [rule] @@ -121,10 +121,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.005" name = "Mshta" @@ -135,10 +137,30 @@ id = "T1218.011" name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml index 18215c26f..585068b0d 100644 --- a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/30" [rule] author = ["Elastic"] @@ -99,6 +99,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" @@ -108,30 +109,30 @@ reference = "https://attack.mitre.org/techniques/T1112/" id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" + [[rule.threat.technique.subtechnique]] id = "T1195.002" name = "Compromise Software Supply Chain" reference = "https://attack.mitre.org/techniques/T1195/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" diff --git a/rules/windows/defense_evasion_suspicious_certutil_commands.toml b/rules/windows/defense_evasion_suspicious_certutil_commands.toml index d31877d16..9698c3f6a 100644 --- a/rules/windows/defense_evasion_suspicious_certutil_commands.toml +++ b/rules/windows/defense_evasion_suspicious_certutil_commands.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -140,14 +140,44 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.004" +name = "Private Keys" +reference = "https://attack.mitre.org/techniques/T1552/004/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml index cf9205c5f..53084bb05 100644 --- a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml +++ b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/28" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/02/23" +updated_date = "2026/03/30" [rule] author = ["Elastic"] @@ -86,15 +86,32 @@ process where host.os.type == "windows" and event.type == "start" and process.ex [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1127/" + +[[rule.threat.technique.subtechnique]] +id = "T1127.001" +name = "MSBuild" +reference = "https://attack.mitre.org/techniques/T1127/001/" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.005" name = "Mshta" reference = "https://attack.mitre.org/techniques/T1218/005/" +[[rule.threat.technique.subtechnique]] +id = "T1218.007" +name = "Msiexec" +reference = "https://attack.mitre.org/techniques/T1218/007/" + [[rule.threat.technique.subtechnique]] id = "T1218.010" name = "Regsvr32" @@ -105,18 +122,24 @@ id = "T1218.011" name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -127,10 +150,17 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml index 30a19f5a7..a3e25bc19 100644 --- a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml +++ b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/30" [rule] author = ["Elastic"] @@ -95,14 +95,51 @@ file where host.os.type == "windows" and event.type != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.003" +name = "CMSTP" +reference = "https://attack.mitre.org/techniques/T1218/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" + +[[rule.threat.technique]] +id = "T1620" +name = "Reflective Code Loading" +reference = "https://attack.mitre.org/techniques/T1620/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml index d6f9837ab..82c550c58 100644 --- a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml +++ b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/24" integration = ["windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,14 +83,18 @@ sequence by host.id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" +[[rule.threat.technique.subtechnique]] +id = "T1055.012" +name = "Process Hollowing" +reference = "https://attack.mitre.org/techniques/T1055/012/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_suspicious_scrobj_load.toml b/rules/windows/defense_evasion_suspicious_scrobj_load.toml index 8b30df05e..e931dae2d 100644 --- a/rules/windows/defense_evasion_suspicious_scrobj_load.toml +++ b/rules/windows/defense_evasion_suspicious_scrobj_load.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,19 +94,31 @@ any where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.010" name = "Regsvr32" reference = "https://attack.mitre.org/techniques/T1218/010/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_suspicious_wmi_script.toml b/rules/windows/defense_evasion_suspicious_wmi_script.toml index 45706563e..3e0c53a79 100644 --- a/rules/windows/defense_evasion_suspicious_wmi_script.toml +++ b/rules/windows/defense_evasion_suspicious_wmi_script.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,26 +83,31 @@ sequence by process.entity_id with maxspan = 2m [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique]] id = "T1220" name = "XSL Script Processing" reference = "https://attack.mitre.org/techniques/T1220/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index 2b461a36b..611a28342 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -131,6 +131,7 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" @@ -141,21 +142,35 @@ id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index 5c5acb373..2126ccfcd 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -136,26 +136,39 @@ file where host.os.type == "windows" and event.type != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1211" name = "Exploitation for Defense Evasion" reference = "https://attack.mitre.org/techniques/T1211/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/defense_evasion_untrusted_driver_loaded.toml b/rules/windows/defense_evasion_untrusted_driver_loaded.toml index c9a0df30c..b38f32009 100644 --- a/rules/windows/defense_evasion_untrusted_driver_loaded.toml +++ b/rules/windows/defense_evasion_untrusted_driver_loaded.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/04" +updated_date = "2026/03/30" [transform] [[transform.osquery]] @@ -119,19 +119,18 @@ driver where host.os.type == "windows" and process.pid == 4 and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml index ef3d4c6c6..51aaa7fc9 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/28" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/08/28" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -88,14 +88,26 @@ sequence by host.id, process.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/windows/defense_evasion_unusual_process_network_connection.toml b/rules/windows/defense_evasion_unusual_process_network_connection.toml index 8dd19e5c3..1639e5fbd 100644 --- a/rules/windows/defense_evasion_unusual_process_network_connection.toml +++ b/rules/windows/defense_evasion_unusual_process_network_connection.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/30" [rule] author = ["Elastic"] @@ -95,14 +95,28 @@ sequence by process.entity_id [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.003" +name = "CMSTP" +reference = "https://attack.mitre.org/techniques/T1218/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.008" +name = "Odbcconf" +reference = "https://attack.mitre.org/techniques/T1218/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml b/rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml index 236dce5f9..2d1d79edb 100644 --- a/rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml +++ b/rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/28" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,14 +91,18 @@ file where host.os.type == "windows" and event.action != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_windows_filtering_platform.toml b/rules/windows/defense_evasion_windows_filtering_platform.toml index 2b3015a7d..2bf6e1fcd 100644 --- a/rules/windows/defense_evasion_windows_filtering_platform.toml +++ b/rules/windows/defense_evasion_windows_filtering_platform.toml @@ -2,7 +2,7 @@ creation_date = "2023/12/15" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -136,19 +136,23 @@ sequence by winlog.computer_name with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + [[rule.threat.technique.subtechnique]] id = "T1562.004" name = "Disable or Modify System Firewall" reference = "https://attack.mitre.org/techniques/T1562/004/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_workfolders_control_execution.toml b/rules/windows/defense_evasion_workfolders_control_execution.toml index dd3fab8da..61fdcc336 100644 --- a/rules/windows/defense_evasion_workfolders_control_execution.toml +++ b/rules/windows/defense_evasion_workfolders_control_execution.toml @@ -2,7 +2,7 @@ creation_date = "2022/03/02" integration = ["windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/28" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -95,14 +95,33 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.008" +name = "Path Interception by Search Order Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_wsl_bash_exec.toml b/rules/windows/defense_evasion_wsl_bash_exec.toml index f0dae674a..42ba25c63 100644 --- a/rules/windows/defense_evasion_wsl_bash_exec.toml +++ b/rules/windows/defense_evasion_wsl_bash_exec.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,31 +103,49 @@ process where host.os.type == "windows" and event.type : "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1202" name = "Indirect Command Execution" reference = "https://attack.mitre.org/techniques/T1202/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + +[[rule.threat.technique.subtechnique]] +id = "T1003.008" +name = "/etc/passwd and /etc/shadow" +reference = "https://attack.mitre.org/techniques/T1003/008/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/windows/defense_evasion_wsl_child_process.toml b/rules/windows/defense_evasion_wsl_child_process.toml index 54afa1516..96f71cd4e 100644 --- a/rules/windows/defense_evasion_wsl_child_process.toml +++ b/rules/windows/defense_evasion_wsl_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -119,14 +119,31 @@ process where host.os.type == "windows" and event.type : "start" and process.com [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1202" name = "Indirect Command Execution" reference = "https://attack.mitre.org/techniques/T1202/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml index 3fbc26826..f210bf69d 100644 --- a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml +++ b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/30" [rule] author = ["Elastic"] @@ -91,14 +91,13 @@ process where host.os.type == "windows" and event.type : "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1202" name = "Indirect Command Execution" reference = "https://attack.mitre.org/techniques/T1202/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_wsl_filesystem.toml b/rules/windows/defense_evasion_wsl_filesystem.toml index 6ec6a72e9..44f6745bb 100644 --- a/rules/windows/defense_evasion_wsl_filesystem.toml +++ b/rules/windows/defense_evasion_wsl_filesystem.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -88,14 +88,31 @@ sequence by process.entity_id with maxspan=5m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1202" name = "Indirect Command Execution" reference = "https://attack.mitre.org/techniques/T1202/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_wsl_kalilinux.toml b/rules/windows/defense_evasion_wsl_kalilinux.toml index 1d34d559f..d8753675b 100644 --- a/rules/windows/defense_evasion_wsl_kalilinux.toml +++ b/rules/windows/defense_evasion_wsl_kalilinux.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/28" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,14 +100,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1202" name = "Indirect Command Execution" reference = "https://attack.mitre.org/techniques/T1202/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_wsl_registry_modification.toml b/rules/windows/defense_evasion_wsl_registry_modification.toml index ca02fcc75..2e219f30e 100644 --- a/rules/windows/defense_evasion_wsl_registry_modification.toml +++ b/rules/windows/defense_evasion_wsl_registry_modification.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -90,6 +90,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" @@ -100,9 +101,25 @@ id = "T1202" name = "Indirect Command Execution" reference = "https://attack.mitre.org/techniques/T1202/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/discovery_active_directory_webservice.toml b/rules/windows/discovery_active_directory_webservice.toml index 56600c523..9d12b1b69 100644 --- a/rules/windows/discovery_active_directory_webservice.toml +++ b/rules/windows/discovery_active_directory_webservice.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/31" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,14 +83,33 @@ Active Directory Web Service (ADWS) facilitates querying Active Directory (AD) o [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + +[[rule.threat.technique.subtechnique]] +id = "T1069.002" +name = "Domain Groups" +reference = "https://attack.mitre.org/techniques/T1069/002/" + +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" + +[[rule.threat.technique.subtechnique]] +id = "T1087.002" +name = "Domain Account" +reference = "https://attack.mitre.org/techniques/T1087/002/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/discovery_command_system_account.toml b/rules/windows/discovery_command_system_account.toml index 03d5ecdf5..bee03e290 100644 --- a/rules/windows/discovery_command_system_account.toml +++ b/rules/windows/discovery_command_system_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/05/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -96,31 +96,36 @@ not (process.parent.name : "cmd.exe" and process.working_directory : "C:\\Progra [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1033" name = "System Owner/User Discovery" reference = "https://attack.mitre.org/techniques/T1033/" +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.003" name = "Local Accounts" reference = "https://attack.mitre.org/techniques/T1078/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/discovery_high_number_ad_properties.toml b/rules/windows/discovery_high_number_ad_properties.toml index ba1b6f16b..53ce1bbbc 100644 --- a/rules/windows/discovery_high_number_ad_properties.toml +++ b/rules/windows/discovery_high_number_ad_properties.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/29" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,14 +85,33 @@ any where host.os.type == "windows" and event.code == "4662" and not winlog.even [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" +[[rule.threat.technique.subtechnique]] +id = "T1069.002" +name = "Domain Groups" +reference = "https://attack.mitre.org/techniques/T1069/002/" + +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" + +[[rule.threat.technique.subtechnique]] +id = "T1087.002" +name = "Domain Account" +reference = "https://attack.mitre.org/techniques/T1087/002/" + +[[rule.threat.technique]] +id = "T1482" +name = "Domain Trust Discovery" +reference = "https://attack.mitre.org/techniques/T1482/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/discovery_host_public_ip_address_lookup.toml b/rules/windows/discovery_host_public_ip_address_lookup.toml index 70ce393aa..3382a1131 100644 --- a/rules/windows/discovery_host_public_ip_address_lookup.toml +++ b/rules/windows/discovery_host_public_ip_address_lookup.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/20" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -131,30 +131,35 @@ network where host.os.type == "windows" and dns.question.name != null and proces [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" reference = "https://attack.mitre.org/techniques/T1016/" +[[rule.threat.technique.subtechnique]] +id = "T1016.001" +name = "Internet Connection Discovery" +reference = "https://attack.mitre.org/techniques/T1016/001/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique.subtechnique]] id = "T1071.004" name = "DNS" reference = "https://attack.mitre.org/techniques/T1071/004/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/windows/discovery_posh_suspicious_api_functions.toml b/rules/windows/discovery_posh_suspicious_api_functions.toml index 4fa1272e1..7c8df00fe 100644 --- a/rules/windows/discovery_posh_suspicious_api_functions.toml +++ b/rules/windows/discovery_posh_suspicious_api_functions.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/13" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/30" [rule] author = ["Elastic"] @@ -165,76 +165,112 @@ case_insensitive = true value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1007" +name = "System Service Discovery" +reference = "https://attack.mitre.org/techniques/T1007/" + +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" reference = "https://attack.mitre.org/techniques/T1069/001/" +[[rule.threat.technique.subtechnique]] +id = "T1069.002" +name = "Domain Groups" +reference = "https://attack.mitre.org/techniques/T1069/002/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1087/001/" +[[rule.threat.technique.subtechnique]] +id = "T1087.002" +name = "Domain Account" +reference = "https://attack.mitre.org/techniques/T1087/002/" [[rule.threat.technique]] id = "T1135" name = "Network Share Discovery" reference = "https://attack.mitre.org/techniques/T1135/" +[[rule.threat.technique]] +id = "T1201" +name = "Password Policy Discovery" +reference = "https://attack.mitre.org/techniques/T1201/" + [[rule.threat.technique]] id = "T1482" name = "Domain Trust Discovery" reference = "https://attack.mitre.org/techniques/T1482/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique]] id = "T1106" name = "Native API" reference = "https://attack.mitre.org/techniques/T1106/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1039" name = "Data from Network Shared Drive" reference = "https://attack.mitre.org/techniques/T1039/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index 0c166da5f..80a9d2adb 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "system", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -117,14 +117,18 @@ process where host.os.type == "windows" and event.type == "start" and process.na [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1033" name = "System Owner/User Discovery" reference = "https://attack.mitre.org/techniques/T1033/" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/execution_com_object_xwizard.toml b/rules/windows/execution_com_object_xwizard.toml index c7deeed35..933814648 100644 --- a/rules/windows/execution_com_object_xwizard.toml +++ b/rules/windows/execution_com_object_xwizard.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/08/28" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,19 +105,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1559" name = "Inter-Process Communication" reference = "https://attack.mitre.org/techniques/T1559/" + [[rule.threat.technique.subtechnique]] id = "T1559.001" name = "Component Object Model" reference = "https://attack.mitre.org/techniques/T1559/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml index 764af8ffa..9f5a04ad7 100644 --- a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/02/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -134,29 +134,39 @@ sequence by process.entity_id with maxspan=15s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index 6424adbe5..46e6569f8 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/01/29" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -132,17 +132,26 @@ not process.args:(".\inetsrv\iissetup.exe /keygen " or "C:\Program" or "C:\Progr [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" + +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.new_terms] field = "new_terms_fields" value = ["process.command_line"] diff --git a/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml b/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml index c728a7ba0..edc622874 100644 --- a/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml +++ b/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/11/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,28 +103,50 @@ sequence by process.parent.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1127/" + +[[rule.threat.technique.subtechnique]] +id = "T1127.001" +name = "MSBuild" +reference = "https://attack.mitre.org/techniques/T1127/001/" + [[rule.threat.technique]] id = "T1216" name = "System Script Proxy Execution" @@ -134,6 +156,7 @@ reference = "https://attack.mitre.org/techniques/T1216/" id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.003" name = "CMSTP" @@ -164,7 +187,6 @@ id = "T1218.011" name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" - [[rule.threat.technique]] id = "T1220" name = "XSL Script Processing" @@ -174,15 +196,13 @@ reference = "https://attack.mitre.org/techniques/T1220/" id = "T1497" name = "Virtualization/Sandbox Evasion" reference = "https://attack.mitre.org/techniques/T1497/" + [[rule.threat.technique.subtechnique]] id = "T1497.003" name = "Time Based Checks" reference = "https://attack.mitre.org/techniques/T1497/003/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/execution_downloaded_url_file.toml b/rules/windows/execution_downloaded_url_file.toml index 1e0176989..27e5073ec 100644 --- a/rules/windows/execution_downloaded_url_file.toml +++ b/rules/windows/execution_downloaded_url_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/06/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -72,22 +72,30 @@ URL shortcut files, typically used for quick access to web resources, can be exp [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" @@ -98,10 +106,7 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index 15f892254..5b7c76345 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,38 +99,65 @@ process where host.os.type == "windows" and event.type == "start" and process.co [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1007" +name = "System Service Discovery" +reference = "https://attack.mitre.org/techniques/T1007/" + +[[rule.threat.technique]] +id = "T1012" +name = "Query Registry" +reference = "https://attack.mitre.org/techniques/T1012/" + [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique.subtechnique]] id = "T1016.001" name = "Internet Connection Discovery" reference = "https://attack.mitre.org/techniques/T1016/001/" - [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + +[[rule.threat.technique]] +id = "T1049" +name = "System Network Connections Discovery" +reference = "https://attack.mitre.org/techniques/T1049/" + [[rule.threat.technique]] id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + [[rule.threat.technique]] id = "T1087" name = "Account Discovery" @@ -141,9 +168,12 @@ id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" +[[rule.threat.technique]] +id = "T1615" +name = "Group Policy Discovery" +reference = "https://attack.mitre.org/techniques/T1615/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index 2b11f8ec9..51e7dee44 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -236,36 +236,76 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.003" +name = "CMSTP" +reference = "https://attack.mitre.org/techniques/T1218/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.004" +name = "InstallUtil" +reference = "https://attack.mitre.org/techniques/T1218/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.009" +name = "Regsvcs/Regasm" +reference = "https://attack.mitre.org/techniques/T1218/009/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index 62b894c0d..98d60148c 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -140,36 +140,49 @@ sequence by process.entity_id [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" + [[rule.threat.technique.subtechnique]] id = "T1204.002" name = "Malicious File" reference = "https://attack.mitre.org/techniques/T1204/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.001" name = "Compiled HTML File" reference = "https://attack.mitre.org/techniques/T1218/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/windows/execution_initial_access_foxmail_exploit.toml b/rules/windows/execution_initial_access_foxmail_exploit.toml index 1724e0f67..084cd4eff 100644 --- a/rules/windows/execution_initial_access_foxmail_exploit.toml +++ b/rules/windows/execution_initial_access_foxmail_exploit.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/29" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -90,26 +90,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1189" name = "Drive-by Compromise" reference = "https://attack.mitre.org/techniques/T1189/" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/windows/execution_initial_access_via_msc_file.toml b/rules/windows/execution_initial_access_via_msc_file.toml index b0fc6db60..1f7219d96 100644 --- a/rules/windows/execution_initial_access_via_msc_file.toml +++ b/rules/windows/execution_initial_access_via_msc_file.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/12" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,27 +100,30 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" + [[rule.threat.technique.subtechnique]] id = "T1204.002" name = "Malicious File" reference = "https://attack.mitre.org/techniques/T1204/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" @@ -131,10 +134,25 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.014" +name = "MMC" +reference = "https://attack.mitre.org/techniques/T1218/014/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/execution_initial_access_wps_dll_exploit.toml b/rules/windows/execution_initial_access_wps_dll_exploit.toml index b6d8c918d..cef5e3fb0 100644 --- a/rules/windows/execution_initial_access_wps_dll_exploit.toml +++ b/rules/windows/execution_initial_access_wps_dll_exploit.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -88,26 +88,49 @@ any where host.os.type == "windows" and process.name : "promecefpluginhost.exe" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1129" +name = "Shared Modules" +reference = "https://attack.mitre.org/techniques/T1129/" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1189" name = "Drive-by Compromise" reference = "https://attack.mitre.org/techniques/T1189/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.001" +name = "DLL" +reference = "https://attack.mitre.org/techniques/T1574/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/execution_ms_office_written_file.toml b/rules/windows/execution_ms_office_written_file.toml index 979a2d927..330a2bc73 100644 --- a/rules/windows/execution_ms_office_written_file.toml +++ b/rules/windows/execution_ms_office_written_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/06" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,16 +99,34 @@ sequence with maxspan=2h [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" @@ -119,10 +137,7 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/windows/execution_nodejs_susp_patterns.toml b/rules/windows/execution_nodejs_susp_patterns.toml index 56fb9fb8b..4bdf3d086 100644 --- a/rules/windows/execution_nodejs_susp_patterns.toml +++ b/rules/windows/execution_nodejs_susp_patterns.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/21" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/21" +updated_date = "2026/03/24" [rule] @@ -109,11 +109,25 @@ id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/execution_notepad_markdown_child_process.toml b/rules/windows/execution_notepad_markdown_child_process.toml index c7f3b8f24..13e0813ef 100644 --- a/rules/windows/execution_notepad_markdown_child_process.toml +++ b/rules/windows/execution_notepad_markdown_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/16" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,11 +81,21 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] id = "TA0002" diff --git a/rules/windows/execution_posh_hacktool_functions.toml b/rules/windows/execution_posh_hacktool_functions.toml index 8e6c5f0f7..88eba40cf 100644 --- a/rules/windows/execution_posh_hacktool_functions.toml +++ b/rules/windows/execution_posh_hacktool_functions.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/30" [rule] author = ["Elastic"] @@ -310,22 +310,195 @@ case_insensitive = true value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + +[[rule.threat.technique.subtechnique]] +id = "T1003.001" +name = "LSASS Memory" +reference = "https://attack.mitre.org/techniques/T1003/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1003.006" +name = "DCSync" +reference = "https://attack.mitre.org/techniques/T1003/006/" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.006" +name = "Group Policy Preferences" +reference = "https://attack.mitre.org/techniques/T1552/006/" + +[[rule.threat.technique]] +id = "T1558" +name = "Steal or Forge Kerberos Tickets" +reference = "https://attack.mitre.org/techniques/T1558/" + +[[rule.threat.technique.subtechnique]] +id = "T1558.003" +name = "Kerberoasting" +reference = "https://attack.mitre.org/techniques/T1558/003/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + +[[rule.threat.technique]] +id = "T1134" +name = "Access Token Manipulation" +reference = "https://attack.mitre.org/techniques/T1134/" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.002" +name = "Bypass User Account Control" +reference = "https://attack.mitre.org/techniques/T1548/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" + +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" + +[[rule.threat.technique]] +id = "T1482" +name = "Domain Trust Discovery" +reference = "https://attack.mitre.org/techniques/T1482/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + +[[rule.threat.technique.subtechnique]] +id = "T1567.001" +name = "Exfiltration to Code Repository" +reference = "https://attack.mitre.org/techniques/T1567/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1567.002" +name = "Exfiltration to Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1567/002/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.005" +name = "Scheduled Task" +reference = "https://attack.mitre.org/techniques/T1053/005/" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.005" +name = "Security Support Provider" +reference = "https://attack.mitre.org/techniques/T1547/005/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.002" +name = "SMB/Windows Admin Shares" +reference = "https://attack.mitre.org/techniques/T1021/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.003" +name = "Distributed Component Object Model" +reference = "https://attack.mitre.org/techniques/T1021/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.006" +name = "Windows Remote Management" +reference = "https://attack.mitre.org/techniques/T1021/006/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/execution_posh_portable_executable.toml b/rules/windows/execution_posh_portable_executable.toml index 2053274ce..d52be5d20 100644 --- a/rules/windows/execution_posh_portable_executable.toml +++ b/rules/windows/execution_posh_portable_executable.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -118,34 +118,44 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + +[[rule.threat.technique.subtechnique]] +id = "T1027.013" +name = "Encrypted/Encoded File" +reference = "https://attack.mitre.org/techniques/T1027/013/" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/execution_powershell_susp_args_via_winscript.toml b/rules/windows/execution_powershell_susp_args_via_winscript.toml index f5e2c08a1..25a637bbd 100644 --- a/rules/windows/execution_powershell_susp_args_via_winscript.toml +++ b/rules/windows/execution_powershell_susp_args_via_winscript.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/09" integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,10 +105,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -124,10 +126,30 @@ id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" - +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/execution_revshell_cmd_via_netcat.toml b/rules/windows/execution_revshell_cmd_via_netcat.toml index 2ca0d6e9e..3abeef4be 100644 --- a/rules/windows/execution_revshell_cmd_via_netcat.toml +++ b/rules/windows/execution_revshell_cmd_via_netcat.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/10/14" +updated_date = "2026/03/24" [rule] @@ -75,10 +75,12 @@ process.name : ("cmd.exe", "powershell.exe") and process.parent.args : "-e" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -89,9 +91,20 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index 67a11ba82..831940877 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/11/06" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,29 +82,46 @@ sequence by host.id, process.entity_id with maxspan = 5s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.003" +name = "Distributed Component Object Model" +reference = "https://attack.mitre.org/techniques/T1021/003/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/execution_scripting_remote_webdav.toml b/rules/windows/execution_scripting_remote_webdav.toml index bce62a907..bc04b569d 100644 --- a/rules/windows/execution_scripting_remote_webdav.toml +++ b/rules/windows/execution_scripting_remote_webdav.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,41 +80,64 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" + [[rule.threat.technique.subtechnique]] id = "T1204.002" name = "Malicious File" reference = "https://attack.mitre.org/techniques/T1204/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" - [[rule.threat.technique]] id = "T1570" name = "Lateral Tool Transfer" reference = "https://attack.mitre.org/techniques/T1570/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/windows/execution_scripts_archive_file.toml b/rules/windows/execution_scripts_archive_file.toml index 8bc7d0e44..5243860e9 100644 --- a/rules/windows/execution_scripts_archive_file.toml +++ b/rules/windows/execution_scripts_archive_file.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/20" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/20" +updated_date = "2026/03/24" [rule] @@ -104,20 +104,27 @@ id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.007" -name = "JavaScript" -reference = "https://attack.mitre.org/techniques/T1059/007/" - [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - - diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml index 26b1f2df8..3c92dda7f 100644 --- a/rules/windows/execution_shared_modules_local_sxs_dll.toml +++ b/rules/windows/execution_shared_modules_local_sxs_dll.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/28" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -60,14 +60,31 @@ file where host.os.type == "windows" and file.extension : "dll" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1129" name = "Shared Modules" reference = "https://attack.mitre.org/techniques/T1129/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.001" +name = "DLL" +reference = "https://attack.mitre.org/techniques/T1574/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/execution_susp_javascript_via_deno.toml b/rules/windows/execution_susp_javascript_via_deno.toml index ec8fe357c..97d11c507 100644 --- a/rules/windows/execution_susp_javascript_via_deno.toml +++ b/rules/windows/execution_susp_javascript_via_deno.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/19" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -77,10 +77,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.007" name = "JavaScript" @@ -90,3 +92,29 @@ reference = "https://attack.mitre.org/techniques/T1059/007/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index 9f27f9612..997ab7641 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/05/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,6 +94,7 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" @@ -103,15 +104,31 @@ reference = "https://attack.mitre.org/techniques/T1047/" id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.003" +name = "Distributed Component Object Model" +reference = "https://attack.mitre.org/techniques/T1021/003/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index c816d82ec..8dbb33050 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -113,31 +113,117 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.003" +name = "CMSTP" +reference = "https://attack.mitre.org/techniques/T1218/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.004" +name = "InstallUtil" +reference = "https://attack.mitre.org/techniques/T1218/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.008" +name = "Odbcconf" +reference = "https://attack.mitre.org/techniques/T1218/008/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.009" +name = "Regsvcs/Regasm" +reference = "https://attack.mitre.org/techniques/T1218/009/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + +[[rule.threat.technique.subtechnique]] +id = "T1016.001" +name = "Internet Connection Discovery" +reference = "https://attack.mitre.org/techniques/T1016/001/" + +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + +[[rule.threat.technique]] +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index 6fcd26f68..fc830cb9c 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,36 +80,54 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1569" name = "System Services" reference = "https://attack.mitre.org/techniques/T1569/" + [[rule.threat.technique.subtechnique]] id = "T1569.002" name = "Service Execution" reference = "https://attack.mitre.org/techniques/T1569/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.003" name = "Rename Legitimate Utilities" reference = "https://attack.mitre.org/techniques/T1036/003/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.002" +name = "SMB/Windows Admin Shares" +reference = "https://attack.mitre.org/techniques/T1021/002/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index 15d381da7..527d9eae4 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -145,36 +145,56 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" + [[rule.threat.technique.subtechnique]] id = "T1204.002" name = "Malicious File" reference = "https://attack.mitre.org/techniques/T1204/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.001" name = "Compiled HTML File" reference = "https://attack.mitre.org/techniques/T1218/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/execution_via_mmc_console_file_unusual_path.toml b/rules/windows/execution_via_mmc_console_file_unusual_path.toml index 52678af58..4d0567ab5 100644 --- a/rules/windows/execution_via_mmc_console_file_unusual_path.toml +++ b/rules/windows/execution_via_mmc_console_file_unusual_path.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/19" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,10 +106,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" @@ -120,27 +122,35 @@ id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.014" name = "MMC" reference = "https://attack.mitre.org/techniques/T1218/014/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/execution_windows_cmd_shell_susp_args.toml b/rules/windows/execution_windows_cmd_shell_susp_args.toml index 9d8c46104..7e8578f6b 100644 --- a/rules/windows/execution_windows_cmd_shell_susp_args.toml +++ b/rules/windows/execution_windows_cmd_shell_susp_args.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/06" integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/09/01" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -161,19 +161,59 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/execution_windows_fakecaptcha_cmd_ps.toml b/rules/windows/execution_windows_fakecaptcha_cmd_ps.toml index f2fdff5ae..3b73fe7f1 100644 --- a/rules/windows/execution_windows_fakecaptcha_cmd_ps.toml +++ b/rules/windows/execution_windows_fakecaptcha_cmd_ps.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/19" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/08/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,10 +84,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -98,47 +100,58 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.004" +name = "Malicious Copy and Paste" +reference = "https://attack.mitre.org/techniques/T1204/004/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.005" name = "Mshta" reference = "https://attack.mitre.org/techniques/T1218/005/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1189" +name = "Drive-by Compromise" +reference = "https://attack.mitre.org/techniques/T1189/" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/windows/execution_windows_phish_clickfix.toml b/rules/windows/execution_windows_phish_clickfix.toml index 499cedf62..ff9f43a3a 100644 --- a/rules/windows/execution_windows_phish_clickfix.toml +++ b/rules/windows/execution_windows_phish_clickfix.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/20" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2025/08/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,10 +83,12 @@ not (process.name : "rundll32.exe" and process.args : ("ndfapi.dll,NdfRunDllDiag [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -97,45 +99,61 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.004" +name = "Malicious Copy and Paste" +reference = "https://attack.mitre.org/techniques/T1204/004/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.005" name = "Mshta" reference = "https://attack.mitre.org/techniques/T1218/005/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" [rule.threat.tactic] id = "TA0001" diff --git a/rules/windows/execution_windows_powershell_susp_args.toml b/rules/windows/execution_windows_powershell_susp_args.toml index ff0cfea30..12f07fbe1 100644 --- a/rules/windows/execution_windows_powershell_susp_args.toml +++ b/rules/windows/execution_windows_powershell_susp_args.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/06" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -186,19 +186,54 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/execution_windows_script_from_internet.toml b/rules/windows/execution_windows_script_from_internet.toml index b0f8b6c40..1df195731 100644 --- a/rules/windows/execution_windows_script_from_internet.toml +++ b/rules/windows/execution_windows_script_from_internet.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/31" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/24" min_stack_version = "9.1.0" min_stack_comments = "Changing min stack to 9.1.0, the latest minimum supported version for 9.X releases." @@ -93,6 +93,16 @@ id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" @@ -103,23 +113,29 @@ id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + [[rule.threat.technique.subtechnique]] -id = "T1059.003" -name = "Windows Command Shell" -reference = "https://attack.mitre.org/techniques/T1059/003/" +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.005" name = "Mshta" @@ -130,10 +146,7 @@ id = "T1218.007" name = "Msiexec" reference = "https://attack.mitre.org/techniques/T1218/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/exfiltration_rclone_cloud_upload.toml b/rules/windows/exfiltration_rclone_cloud_upload.toml index 48377c25e..b66cc9b1c 100644 --- a/rules/windows/exfiltration_rclone_cloud_upload.toml +++ b/rules/windows/exfiltration_rclone_cloud_upload.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,12 +84,41 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1048" name = "Exfiltration Over Alternative Protocol" reference = "https://attack.mitre.org/techniques/T1048/" +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + +[[rule.threat.technique.subtechnique]] +id = "T1567.002" +name = "Exfiltration to Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1567/002/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.003" +name = "Rename Legitimate Utilities" +reference = "https://attack.mitre.org/techniques/T1036/003/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/exfiltration_smb_rare_destination.toml b/rules/windows/exfiltration_smb_rare_destination.toml index 1e007cf4c..5811c56fa 100644 --- a/rules/windows/exfiltration_smb_rare_destination.toml +++ b/rules/windows/exfiltration_smb_rare_destination.toml @@ -2,7 +2,7 @@ creation_date = "2023/12/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -117,17 +117,29 @@ event.category:network and host.os.type:windows and process.pid:4 and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1048" name = "Exfiltration Over Alternative Protocol" reference = "https://attack.mitre.org/techniques/T1048/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1187" +name = "Forced Authentication" +reference = "https://attack.mitre.org/techniques/T1187/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" [rule.new_terms] field = "new_terms_fields" value = ["destination.ip"] diff --git a/rules/windows/impact_high_freq_file_renames_by_kernel.toml b/rules/windows/impact_high_freq_file_renames_by_kernel.toml index e2d3edbbc..8cbbdcf1d 100644 --- a/rules/windows/impact_high_freq_file_renames_by_kernel.toml +++ b/rules/windows/impact_high_freq_file_renames_by_kernel.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/03" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,30 +86,41 @@ from logs-endpoint.events.file-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique]] +id = "T1486" +name = "Data Encrypted for Impact" +reference = "https://attack.mitre.org/techniques/T1486/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - - diff --git a/rules/windows/impact_mod_critical_os_files.toml b/rules/windows/impact_mod_critical_os_files.toml index 7aa911b63..32e3b5a4c 100644 --- a/rules/windows/impact_mod_critical_os_files.toml +++ b/rules/windows/impact_mod_critical_os_files.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/01" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2026/03/30" [rule] author = ["Elastic"] @@ -93,18 +93,18 @@ file where host.os.type == "windows" and event.type in ("change", "deletion") an [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" + [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/windows/impact_ransomware_file_rename_smb.toml b/rules/windows/impact_ransomware_file_rename_smb.toml index 7f585c29a..06640b4a5 100644 --- a/rules/windows/impact_ransomware_file_rename_smb.toml +++ b/rules/windows/impact_ransomware_file_rename_smb.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,36 +82,41 @@ sequence by host.id with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique]] +id = "T1486" +name = "Data Encrypted for Impact" +reference = "https://attack.mitre.org/techniques/T1486/" + [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/impact_ransomware_note_file_over_smb.toml b/rules/windows/impact_ransomware_note_file_over_smb.toml index 392a87fdb..ed12fe357 100644 --- a/rules/windows/impact_ransomware_note_file_over_smb.toml +++ b/rules/windows/impact_ransomware_note_file_over_smb.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,36 +82,41 @@ sequence by host.id with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique]] +id = "T1486" +name = "Data Encrypted for Impact" +reference = "https://attack.mitre.org/techniques/T1486/" + [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/impact_stop_process_service_threshold.toml b/rules/windows/impact_stop_process_service_threshold.toml index e6e6087c4..1c69ec5ba 100644 --- a/rules/windows/impact_stop_process_service_threshold.toml +++ b/rules/windows/impact_stop_process_service_threshold.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/03" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/06/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,17 +80,34 @@ event.category:process and host.os.type:windows and event.type:start and process [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1489" name = "Service Stop" reference = "https://attack.mitre.org/techniques/T1489/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.threshold] field = ["host.id"] value = 10 diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml index 073eef3b4..39ada5349 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -118,31 +118,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml index 83b0ab0ed..7bf7d72b1 100644 --- a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml +++ b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/03" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -111,10 +111,12 @@ sequence by user.id with maxspan=2m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" @@ -125,27 +127,43 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" + [[rule.threat.technique.subtechnique]] id = "T1027.006" name = "HTML Smuggling" reference = "https://attack.mitre.org/techniques/T1027/006/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/initial_access_execution_from_inetcache.toml b/rules/windows/initial_access_execution_from_inetcache.toml index 1c10e7709..b123d9b67 100644 --- a/rules/windows/initial_access_execution_from_inetcache.toml +++ b/rules/windows/initial_access_execution_from_inetcache.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -113,31 +113,49 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/initial_access_execution_remote_via_msiexec.toml b/rules/windows/initial_access_execution_remote_via_msiexec.toml index 313b2343f..ed59a6072 100644 --- a/rules/windows/initial_access_execution_remote_via_msiexec.toml +++ b/rules/windows/initial_access_execution_remote_via_msiexec.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,36 +101,49 @@ MSIEXEC, the Windows Installer, facilitates software installation, modification, [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.007" name = "Msiexec" reference = "https://attack.mitre.org/techniques/T1218/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/windows/initial_access_execution_via_office_addins.toml b/rules/windows/initial_access_execution_via_office_addins.toml index ce76d88f6..00b31a4d9 100644 --- a/rules/windows/initial_access_execution_via_office_addins.toml +++ b/rules/windows/initial_access_execution_via_office_addins.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,36 +125,59 @@ process where [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1137" name = "Office Application Startup" reference = "https://attack.mitre.org/techniques/T1137/" + [[rule.threat.technique.subtechnique]] id = "T1137.006" name = "Add-ins" reference = "https://attack.mitre.org/techniques/T1137/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1129" +name = "Shared Modules" +reference = "https://attack.mitre.org/techniques/T1129/" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml index 61e732cb4..9acaecc40 100644 --- a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml +++ b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/30" [rule] author = ["Elastic"] @@ -110,22 +110,25 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -136,10 +139,98 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.003" +name = "CMSTP" +reference = "https://attack.mitre.org/techniques/T1218/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.004" +name = "InstallUtil" +reference = "https://attack.mitre.org/techniques/T1218/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.007" +name = "Msiexec" +reference = "https://attack.mitre.org/techniques/T1218/007/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.008" +name = "Odbcconf" +reference = "https://attack.mitre.org/techniques/T1218/008/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + +[[rule.threat.technique]] +id = "T1049" +name = "System Network Connections Discovery" +reference = "https://attack.mitre.org/techniques/T1049/" + +[[rule.threat.technique]] +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" + +[[rule.threat.technique]] +id = "T1482" +name = "Domain Trust Discovery" +reference = "https://attack.mitre.org/techniques/T1482/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/windows/initial_access_potential_webhelpdesk_exploit.toml b/rules/windows/initial_access_potential_webhelpdesk_exploit.toml index 018003de5..ca1b8afcd 100644 --- a/rules/windows/initial_access_potential_webhelpdesk_exploit.toml +++ b/rules/windows/initial_access_potential_webhelpdesk_exploit.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/02" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,14 +92,59 @@ any where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[[rule.threat.technique]] +id = "T1129" +name = "Shared Modules" +reference = "https://attack.mitre.org/techniques/T1129/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/initial_access_rdp_file_mail_attachment.toml b/rules/windows/initial_access_rdp_file_mail_attachment.toml index f7ff84102..9e6429272 100644 --- a/rules/windows/initial_access_rdp_file_mail_attachment.toml +++ b/rules/windows/initial_access_rdp_file_mail_attachment.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/05" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,19 +100,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index 7ec8d1330..7ea7e0e73 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,27 +105,30 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -136,10 +139,12 @@ id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" - +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/initial_access_scripts_process_started_via_wmi.toml b/rules/windows/initial_access_scripts_process_started_via_wmi.toml index 6846a4ea7..b60c69c98 100644 --- a/rules/windows/initial_access_scripts_process_started_via_wmi.toml +++ b/rules/windows/initial_access_scripts_process_started_via_wmi.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/27" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,23 +106,25 @@ sequence by host.id with maxspan = 5s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" @@ -132,15 +134,18 @@ reference = "https://attack.mitre.org/techniques/T1047/" id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" - +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/initial_access_suspicious_execution_from_vscode_extension.toml b/rules/windows/initial_access_suspicious_execution_from_vscode_extension.toml index 402f26c77..153757b67 100644 --- a/rules/windows/initial_access_suspicious_execution_from_vscode_extension.toml +++ b/rules/windows/initial_access_suspicious_execution_from_vscode_extension.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/13" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/13" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,10 +84,12 @@ process where host.os.type == "windows" and event.action == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" + [[rule.threat.technique.subtechnique]] id = "T1195.002" name = "Compromise Software Supply Chain" @@ -100,14 +102,32 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" + [[rule.threat.technique.subtechnique]] id = "T1204.002" name = "Malicious File" @@ -117,3 +137,44 @@ reference = "https://attack.mitre.org/techniques/T1204/002/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.007" +name = "Msiexec" +reference = "https://attack.mitre.org/techniques/T1218/007/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/initial_access_suspicious_ms_exchange_files.toml b/rules/windows/initial_access_suspicious_ms_exchange_files.toml index 519fd905a..1d9ac75ee 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_files.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_files.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -85,26 +85,44 @@ file where host.os.type == "windows" and event.type == "creation" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml index 28e435a37..d6fed06ce 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/08" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/09/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,22 +94,25 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -120,10 +123,25 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index 74d8fad80..de4be6c22 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -123,27 +123,30 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -154,22 +157,103 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.001" +name = "Compiled HTML File" +reference = "https://attack.mitre.org/techniques/T1218/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.002" +name = "Control Panel" +reference = "https://attack.mitre.org/techniques/T1218/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.003" +name = "CMSTP" +reference = "https://attack.mitre.org/techniques/T1218/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.004" +name = "InstallUtil" +reference = "https://attack.mitre.org/techniques/T1218/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.008" +name = "Odbcconf" +reference = "https://attack.mitre.org/techniques/T1218/008/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.009" +name = "Regsvcs/Regasm" +reference = "https://attack.mitre.org/techniques/T1218/009/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + +[[rule.threat.technique]] +id = "T1049" +name = "System Network Connections Discovery" +reference = "https://attack.mitre.org/techniques/T1049/" + +[[rule.threat.technique]] +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index c0828b44e..964b692c4 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,27 +110,30 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -141,22 +144,60 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.003" +name = "CMSTP" +reference = "https://attack.mitre.org/techniques/T1218/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.004" +name = "InstallUtil" +reference = "https://attack.mitre.org/techniques/T1218/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.008" +name = "Odbcconf" +reference = "https://attack.mitre.org/techniques/T1218/008/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.009" +name = "Regsvcs/Regasm" +reference = "https://attack.mitre.org/techniques/T1218/009/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/initial_access_suspicious_windows_server_update_svc.toml b/rules/windows/initial_access_suspicious_windows_server_update_svc.toml index c1bfe3cbe..051751faf 100644 --- a/rules/windows/initial_access_suspicious_windows_server_update_svc.toml +++ b/rules/windows/initial_access_suspicious_windows_server_update_svc.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/24" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/10/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,22 +86,25 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -112,10 +115,43 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/initial_access_url_cve_2025_33053.toml b/rules/windows/initial_access_url_cve_2025_33053.toml index 17c356f8d..6f022a55f 100644 --- a/rules/windows/initial_access_url_cve_2025_33053.toml +++ b/rules/windows/initial_access_url_cve_2025_33053.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/11" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/06/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,10 +84,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" @@ -103,18 +105,38 @@ id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - - - [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml index 7a7e8c675..123281bc7 100644 --- a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml +++ b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/29" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -96,10 +96,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" @@ -110,18 +112,19 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -137,22 +140,45 @@ id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" +[[rule.threat.technique]] +id = "T1559" +name = "Inter-Process Communication" +reference = "https://attack.mitre.org/techniques/T1559/" +[[rule.threat.technique.subtechnique]] +id = "T1559.001" +name = "Component Object Model" +reference = "https://attack.mitre.org/techniques/T1559/001/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/initial_access_webshell_screenconnect_server.toml b/rules/windows/initial_access_webshell_screenconnect_server.toml index fbe76f594..261f57864 100644 --- a/rules/windows/initial_access_webshell_screenconnect_server.toml +++ b/rules/windows/initial_access_webshell_screenconnect_server.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,22 +92,25 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -118,10 +121,25 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/initial_access_xsl_script_execution_via_com.toml b/rules/windows/initial_access_xsl_script_execution_via_com.toml index 2a1b8903a..0e82b88b1 100644 --- a/rules/windows/initial_access_xsl_script_execution_via_com.toml +++ b/rules/windows/initial_access_xsl_script_execution_via_com.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,31 +82,64 @@ The Microsoft.XMLDOM COM interface allows applications to parse and transform XM [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1220" name = "XSL Script Processing" reference = "https://attack.mitre.org/techniques/T1220/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + +[[rule.threat.technique]] +id = "T1559" +name = "Inter-Process Communication" +reference = "https://attack.mitre.org/techniques/T1559/" + +[[rule.threat.technique.subtechnique]] +id = "T1559.001" +name = "Component Object Model" +reference = "https://attack.mitre.org/techniques/T1559/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/lateral_movement_cmd_service.toml b/rules/windows/lateral_movement_cmd_service.toml index 3e17c1558..7f787510c 100644 --- a/rules/windows/lateral_movement_cmd_service.toml +++ b/rules/windows/lateral_movement_cmd_service.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,48 +80,54 @@ sequence by process.entity_id with maxspan = 1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.002" +name = "SMB/Windows Admin Shares" +reference = "https://attack.mitre.org/techniques/T1021/002/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1569" name = "System Services" reference = "https://attack.mitre.org/techniques/T1569/" + [[rule.threat.technique.subtechnique]] id = "T1569.002" name = "Service Execution" reference = "https://attack.mitre.org/techniques/T1569/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/lateral_movement_credential_access_kerberos_correlation.toml b/rules/windows/lateral_movement_credential_access_kerberos_correlation.toml index ecce43b56..4453dc6b4 100644 --- a/rules/windows/lateral_movement_credential_access_kerberos_correlation.toml +++ b/rules/windows/lateral_movement_credential_access_kerberos_correlation.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/28" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/12/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,33 +99,39 @@ sequence by source.port, source.ip with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.003" name = "Pass the Ticket" reference = "https://attack.mitre.org/techniques/T1550/003/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" + [[rule.threat.technique.subtechnique]] id = "T1558.003" name = "Kerberoasting" reference = "https://attack.mitre.org/techniques/T1558/003/" - +[[rule.threat.technique.subtechnique]] +id = "T1558.004" +name = "AS-REP Roasting" +reference = "https://attack.mitre.org/techniques/T1558/004/" [rule.threat.tactic] id = "TA0006" diff --git a/rules/windows/lateral_movement_dcom_hta.toml b/rules/windows/lateral_movement_dcom_hta.toml index 4f7be9daf..e232e9ab8 100644 --- a/rules/windows/lateral_movement_dcom_hta.toml +++ b/rules/windows/lateral_movement_dcom_hta.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,36 +85,54 @@ sequence with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.003" name = "Distributed Component Object Model" reference = "https://attack.mitre.org/techniques/T1021/003/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.005" name = "Mshta" reference = "https://attack.mitre.org/techniques/T1218/005/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1559" +name = "Inter-Process Communication" +reference = "https://attack.mitre.org/techniques/T1559/" + +[[rule.threat.technique.subtechnique]] +id = "T1559.001" +name = "Component Object Model" +reference = "https://attack.mitre.org/techniques/T1559/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/lateral_movement_dcom_mmc20.toml b/rules/windows/lateral_movement_dcom_mmc20.toml index edec6ac25..931dc6bc1 100644 --- a/rules/windows/lateral_movement_dcom_mmc20.toml +++ b/rules/windows/lateral_movement_dcom_mmc20.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,36 +84,54 @@ sequence by host.id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.003" name = "Distributed Component Object Model" reference = "https://attack.mitre.org/techniques/T1021/003/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.014" name = "MMC" reference = "https://attack.mitre.org/techniques/T1218/014/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1559" +name = "Inter-Process Communication" +reference = "https://attack.mitre.org/techniques/T1559/" + +[[rule.threat.technique.subtechnique]] +id = "T1559.001" +name = "Component Object Model" +reference = "https://attack.mitre.org/techniques/T1559/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml index 99d6bbb80..023860a5a 100644 --- a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml +++ b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,19 +85,36 @@ sequence by host.id with maxspan=5s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.003" name = "Distributed Component Object Model" reference = "https://attack.mitre.org/techniques/T1021/003/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1559" +name = "Inter-Process Communication" +reference = "https://attack.mitre.org/techniques/T1559/" + +[[rule.threat.technique.subtechnique]] +id = "T1559.001" +name = "Component Object Model" +reference = "https://attack.mitre.org/techniques/T1559/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml index b0a6ce543..d761b1752 100644 --- a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml +++ b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/12" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/30" [rule] author = ["Elastic"] @@ -104,19 +104,41 @@ any where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.001" name = "Remote Desktop Protocol" reference = "https://attack.mitre.org/techniques/T1021/001/" +[[rule.threat.technique]] +id = "T1563" +name = "Remote Service Session Hijacking" +reference = "https://attack.mitre.org/techniques/T1563/" +[[rule.threat.technique.subtechnique]] +id = "T1563.002" +name = "RDP Hijacking" +reference = "https://attack.mitre.org/techniques/T1563/002/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1113" +name = "Screen Capture" +reference = "https://attack.mitre.org/techniques/T1113/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml index a6329dc5a..002889aff 100644 --- a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml +++ b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/11" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,19 +91,23 @@ process where host.os.type == "windows" and event.type == "start" and process.ex [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.001" name = "Remote Desktop Protocol" reference = "https://attack.mitre.org/techniques/T1021/001/" - +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index 9f04832e1..3b8a83804 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -145,19 +145,23 @@ sequence with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" - +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml index 8dbb6d82a..a2831b848 100644 --- a/rules/windows/lateral_movement_incoming_wmi.toml +++ b/rules/windows/lateral_movement_incoming_wmi.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/05/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,26 +99,31 @@ sequence by host.id with maxspan = 20s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.003" +name = "Distributed Component Object Model" +reference = "https://attack.mitre.org/techniques/T1021/003/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/lateral_movement_rdp_sharprdp_target.toml b/rules/windows/lateral_movement_rdp_sharprdp_target.toml index 2ba965eb4..a32563cd4 100644 --- a/rules/windows/lateral_movement_rdp_sharprdp_target.toml +++ b/rules/windows/lateral_movement_rdp_sharprdp_target.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -90,19 +90,41 @@ Remote Desktop Protocol (RDP) enables users to connect to and control remote sys [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.001" name = "Remote Desktop Protocol" reference = "https://attack.mitre.org/techniques/T1021/001/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index 197d4339c..75ea925db 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -90,19 +90,41 @@ process where host.os.type == "windows" and event.type == "start" and user.id != [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" - +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1074" +name = "Data Staged" +reference = "https://attack.mitre.org/techniques/T1074/" + +[[rule.threat.technique.subtechnique]] +id = "T1074.002" +name = "Remote Data Staging" +reference = "https://attack.mitre.org/techniques/T1074/002/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/windows/lateral_movement_remote_service_installed_winlog.toml b/rules/windows/lateral_movement_remote_service_installed_winlog.toml index 374035f3d..e47b9a307 100644 --- a/rules/windows/lateral_movement_remote_service_installed_winlog.toml +++ b/rules/windows/lateral_movement_remote_service_installed_winlog.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/30" [rule] author = ["Elastic"] @@ -101,31 +101,54 @@ sequence by winlog.logon.id, winlog.computer_name with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.002" +name = "SMB/Windows Admin Shares" +reference = "https://attack.mitre.org/techniques/T1021/002/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" + +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index 6409bf739..7492f498e 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -161,14 +161,31 @@ sequence with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" + +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/lateral_movement_unusual_dns_service_children.toml b/rules/windows/lateral_movement_unusual_dns_service_children.toml index f9f1e18e1..4ee2d91cf 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_children.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_children.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -111,14 +111,26 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml index d7b316d6e..df4740c7d 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/10/06" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -77,18 +77,29 @@ event.category : "file" and host.os.type : "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["file.path", "host.id"] diff --git a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml index a74ff41d1..f02efb407 100644 --- a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml +++ b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,36 +91,46 @@ file where host.os.type == "windows" and event.type in ("creation", "change") an [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.001" name = "Remote Desktop Protocol" reference = "https://attack.mitre.org/techniques/T1021/001/" +[[rule.threat.technique.subtechnique]] +id = "T1021.002" +name = "SMB/Windows Admin Shares" +reference = "https://attack.mitre.org/techniques/T1021/002/" +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/lateral_movement_via_wsus_update.toml b/rules/windows/lateral_movement_via_wsus_update.toml index 22ecd3dc5..dddccbfc9 100644 --- a/rules/windows/lateral_movement_via_wsus_update.toml +++ b/rules/windows/lateral_movement_via_wsus_update.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/19" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,14 +92,18 @@ process.executable : ( [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1072" +name = "Software Deployment Tools" +reference = "https://attack.mitre.org/techniques/T1072/" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/persistence_browser_extension_install.toml b/rules/windows/persistence_browser_extension_install.toml index 2141ad620..5b2e32e97 100644 --- a/rules/windows/persistence_browser_extension_install.toml +++ b/rules/windows/persistence_browser_extension_install.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/22" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -115,14 +115,18 @@ file where host.os.type == "windows" and event.type : "creation" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1176" name = "Software Extensions" reference = "https://attack.mitre.org/techniques/T1176/" +[[rule.threat.technique.subtechnique]] +id = "T1176.001" +name = "Browser Extensions" +reference = "https://attack.mitre.org/techniques/T1176/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index d53df1351..e51958ef4 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,19 +86,36 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" + [[rule.threat.technique.subtechnique]] id = "T1136.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" + +[[rule.threat.technique.subtechnique]] +id = "T1564.002" +name = "Hidden Users" +reference = "https://attack.mitre.org/techniques/T1564/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/persistence_ms_outlook_vba_template.toml b/rules/windows/persistence_ms_outlook_vba_template.toml index a29e42c83..a509c414c 100644 --- a/rules/windows/persistence_ms_outlook_vba_template.toml +++ b/rules/windows/persistence_ms_outlook_vba_template.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,14 +89,18 @@ file where host.os.type == "windows" and event.type != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1137" name = "Office Application Startup" reference = "https://attack.mitre.org/techniques/T1137/" +[[rule.threat.technique.subtechnique]] +id = "T1137.001" +name = "Office Template Macros" +reference = "https://attack.mitre.org/techniques/T1137/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/persistence_msi_installer_task_startup.toml b/rules/windows/persistence_msi_installer_task_startup.toml index 240595008..efbc92edb 100644 --- a/rules/windows/persistence_msi_installer_task_startup.toml +++ b/rules/windows/persistence_msi_installer_task_startup.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -126,27 +126,40 @@ Windows Installer, through msiexec.exe, facilitates software installation and co [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.001" +name = "Registry Run Keys / Startup Folder" +reference = "https://attack.mitre.org/techniques/T1547/001/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.007" name = "Msiexec" diff --git a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml index 70d8729bf..289233277 100644 --- a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml +++ b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,36 +94,54 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.002" name = "Additional Email Delegate Permissions" reference = "https://attack.mitre.org/techniques/T1098/002/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1114" +name = "Email Collection" +reference = "https://attack.mitre.org/techniques/T1114/" + +[[rule.threat.technique.subtechnique]] +id = "T1114.002" +name = "Remote Email Collection" +reference = "https://attack.mitre.org/techniques/T1114/002/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml index 477f80782..8f6311c3f 100644 --- a/rules/windows/persistence_registry_uncommon.toml +++ b/rules/windows/persistence_registry_uncommon.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/30" [rule] author = ["Elastic"] @@ -153,41 +153,61 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique]] +id = "T1176" +name = "Software Extensions" +reference = "https://attack.mitre.org/techniques/T1176/" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.002" name = "Screensaver" reference = "https://attack.mitre.org/techniques/T1546/002/" +[[rule.threat.technique.subtechnique]] +id = "T1546.012" +name = "Image File Execution Options Injection" +reference = "https://attack.mitre.org/techniques/T1546/012/" [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1547.014" +name = "Active Setup" +reference = "https://attack.mitre.org/techniques/T1547/014/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/persistence_run_key_and_startup_broad.toml b/rules/windows/persistence_run_key_and_startup_broad.toml index 6cdfda1c0..14c08b77d 100644 --- a/rules/windows/persistence_run_key_and_startup_broad.toml +++ b/rules/windows/persistence_run_key_and_startup_broad.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/18" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -170,19 +170,31 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml index 5152e42de..426b00a56 100644 --- a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml +++ b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,19 +89,84 @@ sequence by host.id, user.name with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1127/" + +[[rule.threat.technique.subtechnique]] +id = "T1127.001" +name = "MSBuild" +reference = "https://attack.mitre.org/techniques/T1127/001/" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.004" +name = "InstallUtil" +reference = "https://attack.mitre.org/techniques/T1218/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.009" +name = "Regsvcs/Regasm" +reference = "https://attack.mitre.org/techniques/T1218/009/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml index d5fd087cd..0cdd460da 100644 --- a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml +++ b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/24" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,24 +102,36 @@ any where host.os.type == "windows" and event.code == "5136" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/persistence_service_dll_unsigned.toml b/rules/windows/persistence_service_dll_unsigned.toml index cbd24408d..c5f743170 100644 --- a/rules/windows/persistence_service_dll_unsigned.toml +++ b/rules/windows/persistence_service_dll_unsigned.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/17" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -167,53 +167,64 @@ Svchost.exe is a critical Windows process that hosts multiple services, allowing [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.011" +name = "Services Registry Permissions Weakness" +reference = "https://attack.mitre.org/techniques/T1574/011/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1569" name = "System Services" reference = "https://attack.mitre.org/techniques/T1569/" + [[rule.threat.technique.subtechnique]] id = "T1569.002" name = "Service Execution" reference = "https://attack.mitre.org/techniques/T1569/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/persistence_services_registry.toml index e142ec771..4907ef082 100644 --- a/rules/windows/persistence_services_registry.toml +++ b/rules/windows/persistence_services_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/10/07" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -117,31 +117,41 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.011" +name = "Services Registry Permissions Weakness" +reference = "https://attack.mitre.org/techniques/T1574/011/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml index fcea266ea..288d3035d 100644 --- a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml +++ b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -147,36 +147,36 @@ any where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1053" -name = "Scheduled Task/Job" -reference = "https://attack.mitre.org/techniques/T1053/" +id = "T1559" +name = "Inter-Process Communication" +reference = "https://attack.mitre.org/techniques/T1559/" + [[rule.threat.technique.subtechnique]] -id = "T1053.005" -name = "Scheduled Task" -reference = "https://attack.mitre.org/techniques/T1053/005/" - - +id = "T1559.001" +name = "Component Object Model" +reference = "https://attack.mitre.org/techniques/T1559/001/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/persistence_suspicious_user_mandatory_profile_file.toml b/rules/windows/persistence_suspicious_user_mandatory_profile_file.toml index e3c5bf98f..5706fc3e3 100644 --- a/rules/windows/persistence_suspicious_user_mandatory_profile_file.toml +++ b/rules/windows/persistence_suspicious_user_mandatory_profile_file.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/07" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,27 +86,31 @@ file where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" +[[rule.threat.technique.subtechnique]] +id = "T1547.001" +name = "Registry Run Keys / Startup Folder" +reference = "https://attack.mitre.org/techniques/T1547/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] +[[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index 2a0d907bc..a3b0b221f 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -120,27 +120,30 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -151,10 +154,17 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml index 708d2187c..9143335a0 100644 --- a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml +++ b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/04/24" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Skoetting"] @@ -102,14 +102,18 @@ iam where host.os.type == "windows" and event.action == "added-member-to-group" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index 2bab46a9d..5fff35a5c 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,19 +87,23 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" + [[rule.threat.technique.subtechnique]] id = "T1136.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1136.002" +name = "Domain Account" +reference = "https://attack.mitre.org/techniques/T1136/002/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/persistence_via_hidden_run_key_valuename.toml b/rules/windows/persistence_via_hidden_run_key_valuename.toml index 1d217e04f..249be5b3c 100644 --- a/rules/windows/persistence_via_hidden_run_key_valuename.toml +++ b/rules/windows/persistence_via_hidden_run_key_valuename.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows", "crowdstrike", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -97,43 +97,49 @@ registry where host.os.type == "windows" and event.type == "change" and length(r [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1106" name = "Native API" reference = "https://attack.mitre.org/techniques/T1106/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" +[[rule.threat.technique]] +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index 4c77031fe..5460a9a10 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -147,36 +147,41 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.011" +name = "Services Registry Permissions Weakness" +reference = "https://attack.mitre.org/techniques/T1574/011/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml index df5ba00f6..ab9056795 100644 --- a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml +++ b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/15" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -170,41 +170,61 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique.subtechnique]] +id = "T1037.001" +name = "Logon Script (Windows)" +reference = "https://attack.mitre.org/techniques/T1037/001/" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1547.004" +name = "Winlogon Helper DLL" +reference = "https://attack.mitre.org/techniques/T1547/004/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index 9999667d1..133006547 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -2,7 +2,7 @@ creation_date = "2021/08/24" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/01/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -153,35 +153,38 @@ value = "*?:\\\\Program Files (x86)\\\\*" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" + [[rule.threat.technique.subtechnique]] id = "T1505.003" name = "Web Shell" reference = "https://attack.mitre.org/techniques/T1505/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" @@ -191,6 +194,7 @@ reference = "https://attack.mitre.org/techniques/T1047/" id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -206,14 +210,15 @@ id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" - +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - - [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.command_line"] diff --git a/rules/windows/persistence_werfault_reflectdebugger.toml b/rules/windows/persistence_werfault_reflectdebugger.toml index 10b36a1c6..fe4ec7548 100644 --- a/rules/windows/persistence_werfault_reflectdebugger.toml +++ b/rules/windows/persistence_werfault_reflectdebugger.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,26 +89,31 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.012" +name = "Image File Execution Options Injection" +reference = "https://attack.mitre.org/techniques/T1546/012/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/privilege_escalation_credroaming_ldap.toml b/rules/windows/privilege_escalation_credroaming_ldap.toml index 50b903484..27303266a 100644 --- a/rules/windows/privilege_escalation_credroaming_ldap.toml +++ b/rules/windows/privilege_escalation_credroaming_ldap.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -98,14 +98,18 @@ event.code:"5136" and host.os.type:"windows" and winlog.event_data.AttributeLDAP [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/privilege_escalation_disable_uac_registry.toml b/rules/windows/privilege_escalation_disable_uac_registry.toml index 8d113e3b9..dc3a6bd37 100644 --- a/rules/windows/privilege_escalation_disable_uac_registry.toml +++ b/rules/windows/privilege_escalation_disable_uac_registry.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -113,51 +113,41 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1548.002" -name = "Bypass User Account Control" -reference = "https://attack.mitre.org/techniques/T1548/002/" - - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/privilege_escalation_dmsa_creation_by_unusual_user.toml b/rules/windows/privilege_escalation_dmsa_creation_by_unusual_user.toml index b68b5bdb6..b86726f75 100644 --- a/rules/windows/privilege_escalation_dmsa_creation_by_unusual_user.toml +++ b/rules/windows/privilege_escalation_dmsa_creation_by_unusual_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/23" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -61,27 +61,44 @@ event.code:5137 and host.os.type:"windows" and winlog.event_data.ObjectClass:"ms [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" + +[[rule.threat.technique.subtechnique]] +id = "T1136.002" +name = "Domain Account" +reference = "https://attack.mitre.org/techniques/T1136/002/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["winlog.event_data.SubjectUserName"] diff --git a/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml b/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml index 45a02549d..7f8f269e8 100644 --- a/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml +++ b/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,14 +82,39 @@ any where host.os.type == "windows" and event.category : ("library", "process") [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1129" +name = "Shared Modules" +reference = "https://attack.mitre.org/techniques/T1129/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/privilege_escalation_driver_newterm_imphash.toml b/rules/windows/privilege_escalation_driver_newterm_imphash.toml index cec1e42a8..1c167c679 100644 --- a/rules/windows/privilege_escalation_driver_newterm_imphash.toml +++ b/rules/windows/privilege_escalation_driver_newterm_imphash.toml @@ -2,7 +2,7 @@ creation_date = "2022/12/19" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -118,34 +118,44 @@ event.category:"driver" and host.os.type:windows and event.action:"load" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.new_terms] field = "new_terms_fields" value = ["dll.pe.original_file_name", "dll.code_signature.subject_name"] diff --git a/rules/windows/privilege_escalation_expired_driver_loaded.toml b/rules/windows/privilege_escalation_expired_driver_loaded.toml index d96ccf10b..cf2760676 100644 --- a/rules/windows/privilege_escalation_expired_driver_loaded.toml +++ b/rules/windows/privilege_escalation_expired_driver_loaded.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -75,31 +75,41 @@ In Windows environments, drivers facilitate communication between the OS and har [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" +[[rule.threat.technique]] +id = "T1553" +name = "Subvert Trust Controls" +reference = "https://attack.mitre.org/techniques/T1553/" +[[rule.threat.technique.subtechnique]] +id = "T1553.002" +name = "Code Signing" +reference = "https://attack.mitre.org/techniques/T1553/002/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/privilege_escalation_exploit_cve_202238028.toml b/rules/windows/privilege_escalation_exploit_cve_202238028.toml index 7ce547320..4d153d831 100644 --- a/rules/windows/privilege_escalation_exploit_cve_202238028.toml +++ b/rules/windows/privilege_escalation_exploit_cve_202238028.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,26 +102,36 @@ file where host.os.type == "windows" and event.type != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.010" +name = "Services File Permissions Weakness" +reference = "https://attack.mitre.org/techniques/T1574/010/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml index 83c8fad1a..447985003 100644 --- a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml +++ b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -90,36 +90,46 @@ file where host.os.type == "windows" and event.type != "deletion" and event.acti [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique.subtechnique]] id = "T1484.001" name = "Group Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/001/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/privilege_escalation_group_policy_iniscript.toml b/rules/windows/privilege_escalation_group_policy_iniscript.toml index 1c705e82d..bb2e22b74 100644 --- a/rules/windows/privilege_escalation_group_policy_iniscript.toml +++ b/rules/windows/privilege_escalation_group_policy_iniscript.toml @@ -2,7 +2,7 @@ creation_date = "2021/11/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -121,24 +121,36 @@ any where host.os.type == "windows" and event.code in ("5136", "5145") and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique.subtechnique]] id = "T1484.001" name = "Group Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/001/" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/privilege_escalation_installertakeover.toml b/rules/windows/privilege_escalation_installertakeover.toml index 52bf1177b..70c696923 100644 --- a/rules/windows/privilege_escalation_installertakeover.toml +++ b/rules/windows/privilege_escalation_installertakeover.toml @@ -2,7 +2,7 @@ creation_date = "2021/11/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -143,14 +143,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml index 337b065f9..d0e2f4e4f 100644 --- a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml +++ b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml @@ -2,7 +2,7 @@ creation_date = "2022/04/27" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,31 +89,36 @@ sequence by winlog.computer_name with maxspan=5m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1557" +name = "Adversary-in-the-Middle" +reference = "https://attack.mitre.org/techniques/T1557/" + [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/privilege_escalation_named_pipe_impersonation.toml b/rules/windows/privilege_escalation_named_pipe_impersonation.toml index 17355c1cb..2cfed3e66 100644 --- a/rules/windows/privilege_escalation_named_pipe_impersonation.toml +++ b/rules/windows/privilege_escalation_named_pipe_impersonation.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -135,14 +135,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" +[[rule.threat.technique.subtechnique]] +id = "T1134.001" +name = "Token Impersonation/Theft" +reference = "https://attack.mitre.org/techniques/T1134/001/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/privilege_escalation_posh_token_impersonation.toml b/rules/windows/privilege_escalation_posh_token_impersonation.toml index 0d2a820a6..0662fe27d 100644 --- a/rules/windows/privilege_escalation_posh_token_impersonation.toml +++ b/rules/windows/privilege_escalation_posh_token_impersonation.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/17" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -162,44 +162,49 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" + [[rule.threat.technique.subtechnique]] id = "T1134.001" name = "Token Impersonation/Theft" reference = "https://attack.mitre.org/techniques/T1134/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1134.002" +name = "Create Process with Token" +reference = "https://attack.mitre.org/techniques/T1134/002/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique]] id = "T1106" name = "Native API" reference = "https://attack.mitre.org/techniques/T1106/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml index 020105af0..e1aae601b 100644 --- a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml +++ b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/26" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2025/08/28" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,14 +95,31 @@ sequence by host.id with maxspan=30s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml index b425a85e9..5209db6b7 100644 --- a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -138,17 +138,26 @@ value = "?:\\\\Windows\\\\system32\\\\spool\\\\{????????-????-????-????-???????? [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.001" +name = "DLL" +reference = "https://attack.mitre.org/techniques/T1574/001/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id", "file.name"] diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml index 75067c258..1f6466d29 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/06" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,14 +91,31 @@ file where host.os.type == "windows" and event.type == "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1070" +name = "Indicator Removal" +reference = "https://attack.mitre.org/techniques/T1070/" + +[[rule.threat.technique.subtechnique]] +id = "T1070.004" +name = "File Deletion" +reference = "https://attack.mitre.org/techniques/T1070/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml b/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml index c415ada0e..7b6d04f8e 100644 --- a/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml +++ b/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/05" integration = ["endpoint", "windows", "crowdstrike", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2025/10/07" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -135,46 +135,59 @@ registry where host.os.type == "windows" and event.type == "change" and process. [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.011" name = "Services Registry Permissions Weakness" reference = "https://attack.mitre.org/techniques/T1574/011/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1569" name = "System Services" reference = "https://attack.mitre.org/techniques/T1569/" + [[rule.threat.technique.subtechnique]] id = "T1569.002" name = "Service Execution" reference = "https://attack.mitre.org/techniques/T1569/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml index e411a855b..265e44364 100644 --- a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml +++ b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/26" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,19 +92,31 @@ registry.path : ( [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.007" name = "Path Interception by PATH Environment Variable" reference = "https://attack.mitre.org/techniques/T1574/007/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml index 2f73a8e24..8fc207118 100644 --- a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml +++ b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml @@ -2,7 +2,7 @@ creation_date = "2021/12/12" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,6 +84,7 @@ iam where host.os.type == "windows" and event.action == "renamed-user-account" a [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -93,27 +94,39 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml index c2d36fb1b..cc533de6f 100644 --- a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml +++ b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "system", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -120,23 +120,25 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" @@ -146,6 +148,7 @@ reference = "https://attack.mitre.org/techniques/T1047/" id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -161,18 +164,34 @@ id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + [[rule.threat.technique.subtechnique]] id = "T1218.010" name = "Regsvr32" @@ -183,10 +202,7 @@ id = "T1218.011" name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml index db144eec5..fbb26f3b0 100644 --- a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml +++ b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/11" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,6 +87,7 @@ iam where host.os.type == "windows" and event.action == "changed-computer-accoun [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -96,15 +97,18 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" - +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml index 97b2898d6..280063046 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,53 +91,49 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1548.002" -name = "Bypass User Account Control" -reference = "https://attack.mitre.org/techniques/T1548/002/" - - +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1559" name = "Inter-Process Communication" reference = "https://attack.mitre.org/techniques/T1559/" + [[rule.threat.technique.subtechnique]] id = "T1559.001" name = "Component Object Model" reference = "https://attack.mitre.org/techniques/T1559/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index 8752086e4..e8e462a1c 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -134,46 +134,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1548.002" -name = "Bypass User Account Control" -reference = "https://attack.mitre.org/techniques/T1548/002/" - - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml index fa2fd7c19..9afd46092 100644 --- a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -132,46 +132,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.014" name = "MMC" reference = "https://attack.mitre.org/techniques/T1218/014/" - -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1548.002" -name = "Bypass User Account Control" -reference = "https://attack.mitre.org/techniques/T1548/002/" - - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index 4a8e99f00..dedb007cc 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/06/05" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -162,19 +162,46 @@ process.parent.name != null and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [[rule.threat.technique.subtechnique]] id = "T1055.012" name = "Process Hollowing" reference = "https://attack.mitre.org/techniques/T1055/012/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.009" +name = "Break Process Trees" +reference = "https://attack.mitre.org/techniques/T1036/009/" + +[[rule.threat.technique]] +id = "T1134" +name = "Access Token Manipulation" +reference = "https://attack.mitre.org/techniques/T1134/" + +[[rule.threat.technique.subtechnique]] +id = "T1134.004" +name = "Parent PID Spoofing" +reference = "https://attack.mitre.org/techniques/T1134/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml index cb89a43db..35c9d4192 100644 --- a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml +++ b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/13" integration = ["windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -93,14 +93,18 @@ file where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" +[[rule.threat.technique.subtechnique]] +id = "T1134.001" +name = "Token Impersonation/Theft" +reference = "https://attack.mitre.org/techniques/T1134/001/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules_building_block/collection_archive_data_zip_imageload.toml b/rules_building_block/collection_archive_data_zip_imageload.toml index 445af055e..fe0eec749 100644 --- a/rules_building_block/collection_archive_data_zip_imageload.toml +++ b/rules_building_block/collection_archive_data_zip_imageload.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/06" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -56,14 +56,18 @@ library where host.os.type == "windows" and event.action == "load" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" reference = "https://attack.mitre.org/techniques/T1560/" +[[rule.threat.technique.subtechnique]] +id = "T1560.002" +name = "Archive via Library" +reference = "https://attack.mitre.org/techniques/T1560/002/" [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - diff --git a/rules_building_block/collection_common_compressed_archived_file.toml b/rules_building_block/collection_common_compressed_archived_file.toml index 5742ea8c0..8b7722818 100644 --- a/rules_building_block/collection_common_compressed_archived_file.toml +++ b/rules_building_block/collection_common_compressed_archived_file.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = "endpoint" maturity = "production" -updated_date = "2025/01/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -76,58 +76,64 @@ file where host.os.type == "windows" and event.type in ("creation", "change") an [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1074" name = "Data Staged" reference = "https://attack.mitre.org/techniques/T1074/" + [[rule.threat.technique.subtechnique]] id = "T1074.001" name = "Local Data Staging" reference = "https://attack.mitre.org/techniques/T1074/001/" - [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" reference = "https://attack.mitre.org/techniques/T1560/" + [[rule.threat.technique.subtechnique]] id = "T1560.001" name = "Archive via Utility" reference = "https://attack.mitre.org/techniques/T1560/001/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1132" name = "Data Encoding" reference = "https://attack.mitre.org/techniques/T1132/" + [[rule.threat.technique.subtechnique]] id = "T1132.001" name = "Standard Encoding" reference = "https://attack.mitre.org/techniques/T1132/001/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.015" +name = "Compression" +reference = "https://attack.mitre.org/techniques/T1027/015/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/collection_files_staged_in_recycle_bin_root.toml b/rules_building_block/collection_files_staged_in_recycle_bin_root.toml index 5fd3ef741..e78b29e10 100644 --- a/rules_building_block/collection_files_staged_in_recycle_bin_root.toml +++ b/rules_building_block/collection_files_staged_in_recycle_bin_root.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -43,19 +43,36 @@ file where host.os.type == "windows" and event.type == "creation" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1074" name = "Data Staged" reference = "https://attack.mitre.org/techniques/T1074/" + [[rule.threat.technique.subtechnique]] id = "T1074.001" name = "Local Data Staging" reference = "https://attack.mitre.org/techniques/T1074/001/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" + +[[rule.threat.technique.subtechnique]] +id = "T1564.001" +name = "Hidden Files and Directories" +reference = "https://attack.mitre.org/techniques/T1564/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules_building_block/collection_microsoft_purview_dlp_signal.toml b/rules_building_block/collection_microsoft_purview_dlp_signal.toml index bfc6b8ca0..03a5db7e6 100644 --- a/rules_building_block/collection_microsoft_purview_dlp_signal.toml +++ b/rules_building_block/collection_microsoft_purview_dlp_signal.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2026/02/20" integration = ["o365"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -56,13 +56,39 @@ event.dataset:o365.audit and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[[rule.threat.technique]] +id = "T1114" +name = "Email Collection" +reference = "https://attack.mitre.org/techniques/T1114/" + +[[rule.threat.technique]] +id = "T1530" +name = "Data from Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1530/" + [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + +[[rule.threat.technique.subtechnique]] +id = "T1567.002" +name = "Exfiltration to Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1567/002/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" diff --git a/rules_building_block/collection_outlook_email_archive.toml b/rules_building_block/collection_outlook_email_archive.toml index 529eff840..ad3153f27 100644 --- a/rules_building_block/collection_outlook_email_archive.toml +++ b/rules_building_block/collection_outlook_email_archive.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/21" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -52,19 +52,23 @@ process where host.os.type == "windows" and event.type == "start" and process.ar [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + [[rule.threat.technique]] id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" + [[rule.threat.technique.subtechnique]] id = "T1114.001" name = "Local Email Collection" reference = "https://attack.mitre.org/techniques/T1114/001/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - diff --git a/rules_building_block/collection_posh_compression.toml b/rules_building_block/collection_posh_compression.toml index 621b225c5..281482a08 100644 --- a/rules_building_block/collection_posh_compression.toml +++ b/rules_building_block/collection_posh_compression.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/07/06" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -207,34 +207,44 @@ value = "?:\\\\Program Files\\\\Azure\\\\StorageSyncAgent\\\\AFSDiag.ps1" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" reference = "https://attack.mitre.org/techniques/T1560/" +[[rule.threat.technique.subtechnique]] +id = "T1560.001" +name = "Archive via Utility" +reference = "https://attack.mitre.org/techniques/T1560/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1560.002" +name = "Archive via Library" +reference = "https://attack.mitre.org/techniques/T1560/002/" [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules_building_block/command_and_control_certutil_network_connection.toml b/rules_building_block/command_and_control_certutil_network_connection.toml index 4ed4c5547..c4ccf43c4 100644 --- a/rules_building_block/command_and_control_certutil_network_connection.toml +++ b/rules_building_block/command_and_control_certutil_network_connection.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2020/03/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.investigate]] @@ -163,14 +163,26 @@ network where host.os.type == "windows" and process.name : "certutil.exe" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules_building_block/command_and_control_ollama_model_download_untrusted_source.toml b/rules_building_block/command_and_control_ollama_model_download_untrusted_source.toml index 5701fe075..cb59a5d17 100644 --- a/rules_building_block/command_and_control_ollama_model_download_untrusted_source.toml +++ b/rules_building_block/command_and_control_ollama_model_download_untrusted_source.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/09" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -56,31 +56,36 @@ network where event.action == "lookup_requested" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" + +[[rule.threat.technique.subtechnique]] +id = "T1195.001" +name = "Compromise Software Dependencies and Development Tools" +reference = "https://attack.mitre.org/techniques/T1195/001/" + [[rule.threat.technique.subtechnique]] id = "T1195.002" name = "Compromise Software Supply Chain" reference = "https://attack.mitre.org/techniques/T1195/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules_building_block/credential_access_entra_id_risk_detection_signal.toml b/rules_building_block/credential_access_entra_id_risk_detection_signal.toml index 74f869233..f73fe1603 100644 --- a/rules_building_block/credential_access_entra_id_risk_detection_signal.toml +++ b/rules_building_block/credential_access_entra_id_risk_detection_signal.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2026/02/20" integration = ["o365"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -54,29 +54,35 @@ event.dataset:o365.audit and event.code:AadRiskDetection [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" diff --git a/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml index 6eb634e33..6850fbdf2 100644 --- a/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2020/08/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -49,14 +49,23 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules_building_block/credential_access_win_private_key_access.toml b/rules_building_block/credential_access_win_private_key_access.toml index c4ef158a6..74149cb79 100644 --- a/rules_building_block/credential_access_win_private_key_access.toml +++ b/rules_building_block/credential_access_win_private_key_access.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/21" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -74,19 +74,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.004" name = "Private Keys" reference = "https://attack.mitre.org/techniques/T1552/004/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml b/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml index b46bd062d..47797a833 100644 --- a/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml +++ b/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -48,31 +48,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/defense_evasion_dll_hijack.toml b/rules_building_block/defense_evasion_dll_hijack.toml index 87e086c3d..630b6740f 100644 --- a/rules_building_block/defense_evasion_dll_hijack.toml +++ b/rules_building_block/defense_evasion_dll_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/01" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,24 +83,18 @@ library where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" -[[rule.threat.technique.subtechnique]] -id = "T1574.001" -name = "DLL" -reference = "https://attack.mitre.org/techniques/T1574/001/" [[rule.threat.technique.subtechnique]] id = "T1574.001" name = "DLL" reference = "https://attack.mitre.org/techniques/T1574/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml b/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml index 79332fc53..363c2625c 100644 --- a/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml +++ b/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -40,24 +40,28 @@ sequence by user.id with maxspan=5s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" +[[rule.threat.technique.subtechnique]] +id = "T1127.002" +name = "ClickOnce" +reference = "https://attack.mitre.org/techniques/T1127/002/" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.011" name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_download_susp_extension.toml b/rules_building_block/defense_evasion_download_susp_extension.toml index 0e65e8b4c..2b11ed47d 100644 --- a/rules_building_block/defense_evasion_download_susp_extension.toml +++ b/rules_building_block/defense_evasion_download_susp_extension.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -61,22 +61,25 @@ file where host.os.type == "windows" and event.type == "creation" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" @@ -87,10 +90,25 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml b/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml index 2eecbdb9c..263944fd0 100644 --- a/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml +++ b/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,26 +78,36 @@ sequence with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" + [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/defense_evasion_generic_deletion.toml b/rules_building_block/defense_evasion_generic_deletion.toml index ba036559b..4092da460 100644 --- a/rules_building_block/defense_evasion_generic_deletion.toml +++ b/rules_building_block/defense_evasion_generic_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/13" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -54,19 +54,33 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" + [[rule.threat.technique.subtechnique]] id = "T1070.004" name = "File Deletion" reference = "https://attack.mitre.org/techniques/T1070/004/" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_masquerading_windows_dll.toml b/rules_building_block/defense_evasion_masquerading_windows_dll.toml index afce0c6f8..7a42e416c 100644 --- a/rules_building_block/defense_evasion_masquerading_windows_dll.toml +++ b/rules_building_block/defense_evasion_masquerading_windows_dll.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/01" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,10 +108,12 @@ library where event.action == "load" and dll.Ext.relative_file_creation_time <= [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -122,37 +124,40 @@ id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" +[[rule.threat.technique]] +id = "T1553" +name = "Subvert Trust Controls" +reference = "https://attack.mitre.org/techniques/T1553/" + +[[rule.threat.technique.subtechnique]] +id = "T1553.002" +name = "Code Signing" +reference = "https://attack.mitre.org/techniques/T1553/002/" [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" -[[rule.threat.technique.subtechnique]] -id = "T1574.001" -name = "DLL" -reference = "https://attack.mitre.org/techniques/T1574/001/" [[rule.threat.technique.subtechnique]] id = "T1574.001" name = "DLL" reference = "https://attack.mitre.org/techniques/T1574/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1554" name = "Compromise Host Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml b/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml index 884c45780..4387a5d03 100644 --- a/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml +++ b/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/20" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,10 +82,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -96,22 +98,30 @@ id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" +[[rule.threat.technique]] +id = "T1553" +name = "Subvert Trust Controls" +reference = "https://attack.mitre.org/techniques/T1553/" +[[rule.threat.technique.subtechnique]] +id = "T1553.002" +name = "Code Signing" +reference = "https://attack.mitre.org/techniques/T1553/002/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1554" name = "Compromise Host Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules_building_block/defense_evasion_microsoft_security_compliance_admin_signal.toml b/rules_building_block/defense_evasion_microsoft_security_compliance_admin_signal.toml index eb6a59b01..d685e67b8 100644 --- a/rules_building_block/defense_evasion_microsoft_security_compliance_admin_signal.toml +++ b/rules_building_block/defense_evasion_microsoft_security_compliance_admin_signal.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2026/02/20" integration = ["o365"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -54,30 +54,49 @@ event.dataset:o365.audit and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml b/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml index 6c94369c5..53fcb3994 100644 --- a/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml +++ b/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/26" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -59,14 +59,31 @@ process where host.os.type == "windows" and event.action == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules_building_block/defense_evasion_outlook_suspicious_child.toml b/rules_building_block/defense_evasion_outlook_suspicious_child.toml index a081138d5..04c850ef3 100644 --- a/rules_building_block/defense_evasion_outlook_suspicious_child.toml +++ b/rules_building_block/defense_evasion_outlook_suspicious_child.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2025/01/10" integration = ["endpoint"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -72,10 +72,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -86,27 +88,38 @@ id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1554" name = "Compromise Host Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml b/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml index 88639b9b6..f3bea5cad 100644 --- a/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml +++ b/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -174,39 +174,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules_building_block/defense_evasion_service_disabled_registry.toml b/rules_building_block/defense_evasion_service_disabled_registry.toml index c1f1d49da..504eedb76 100644 --- a/rules_building_block/defense_evasion_service_disabled_registry.toml +++ b/rules_building_block/defense_evasion_service_disabled_registry.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -48,26 +48,36 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1489" name = "Service Stop" reference = "https://attack.mitre.org/techniques/T1489/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules_building_block/defense_evasion_unusual_process_path_wbem.toml b/rules_building_block/defense_evasion_unusual_process_path_wbem.toml index 90930db47..2a00fb024 100644 --- a/rules_building_block/defense_evasion_unusual_process_path_wbem.toml +++ b/rules_building_block/defense_evasion_unusual_process_path_wbem.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -55,14 +55,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_write_dac_access.toml b/rules_building_block/defense_evasion_write_dac_access.toml index ca738169f..26796bd54 100644 --- a/rules_building_block/defense_evasion_write_dac_access.toml +++ b/rules_building_block/defense_evasion_write_dac_access.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/15" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -63,19 +63,31 @@ host.os.type: "windows" and event.action : ("Directory Service Access" or "objec [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1222" name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" + [[rule.threat.technique.subtechnique]] id = "T1222.001" name = "Windows File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules_building_block/discovery_generic_account_groups.toml b/rules_building_block/discovery_generic_account_groups.toml index eb8dadcd5..7c0ba29b8 100644 --- a/rules_building_block/discovery_generic_account_groups.toml +++ b/rules_building_block/discovery_generic_account_groups.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/07/13" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -64,10 +64,17 @@ and not process.parent.name : "LTSVC.exe" and not user.id : "S-1-5-18" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" @@ -78,11 +85,11 @@ id = "T1069.002" name = "Domain Groups" reference = "https://attack.mitre.org/techniques/T1069/002/" - [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" @@ -93,15 +100,12 @@ id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" - [[rule.threat.technique]] id = "T1201" name = "Password Policy Discovery" reference = "https://attack.mitre.org/techniques/T1201/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_hosts_file_access.toml b/rules_building_block/discovery_hosts_file_access.toml index d371aaa1a..a63b5a271 100644 --- a/rules_building_block/discovery_hosts_file_access.toml +++ b/rules_building_block/discovery_hosts_file_access.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -42,6 +42,11 @@ not ?process.working_directory in ("/opt/SolarWinds/Agent/bin/Plugins/SCM", "/op [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" diff --git a/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml b/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml index 981adb137..fbf32904d 100644 --- a/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml +++ b/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/12" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -70,11 +70,15 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1518" +name = "Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules_building_block/discovery_kubectl_workload_and_cluster_discovery.toml b/rules_building_block/discovery_kubectl_workload_and_cluster_discovery.toml index 3df1dd8bd..341d4d6b2 100644 --- a/rules_building_block/discovery_kubectl_workload_and_cluster_discovery.toml +++ b/rules_building_block/discovery_kubectl_workload_and_cluster_discovery.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -59,16 +59,16 @@ process.name == "kubectl" and ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1613" -name = "Container and Resource Discovery" -reference = "https://attack.mitre.org/techniques/T1613/" - [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules_building_block/discovery_linux_modprobe_enumeration.toml b/rules_building_block/discovery_linux_modprobe_enumeration.toml index eee45ca1d..0e0adaa49 100644 --- a/rules_building_block/discovery_linux_modprobe_enumeration.toml +++ b/rules_building_block/discovery_linux_modprobe_enumeration.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/08" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -77,11 +77,33 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules_building_block/discovery_linux_sysctl_enumeration.toml b/rules_building_block/discovery_linux_sysctl_enumeration.toml index 332fd65a4..061062d0d 100644 --- a/rules_building_block/discovery_linux_sysctl_enumeration.toml +++ b/rules_building_block/discovery_linux_sysctl_enumeration.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/08" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -79,6 +79,36 @@ id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" + +[[rule.threat.technique.subtechnique]] +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules_building_block/discovery_net_share_discovery_winlog.toml b/rules_building_block/discovery_net_share_discovery_winlog.toml index 4d83aa906..395fa517e 100644 --- a/rules_building_block/discovery_net_share_discovery_winlog.toml +++ b/rules_building_block/discovery_net_share_discovery_winlog.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/14" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -44,26 +44,44 @@ sequence by user.name, source.port, source.ip with maxspan=15s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1135" name = "Network Share Discovery" reference = "https://attack.mitre.org/techniques/T1135/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1039" name = "Data from Network Shared Drive" reference = "https://attack.mitre.org/techniques/T1039/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.002" +name = "SMB/Windows Admin Shares" +reference = "https://attack.mitre.org/techniques/T1021/002/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules_building_block/discovery_of_domain_groups.toml b/rules_building_block/discovery_of_domain_groups.toml index c64491dcc..5a7e4e36c 100644 --- a/rules_building_block/discovery_of_domain_groups.toml +++ b/rules_building_block/discovery_of_domain_groups.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager", "crowdstrike"] maturity = "production" -updated_date = "2025/10/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -44,14 +44,18 @@ process where host.os.type == "linux" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" +[[rule.threat.technique.subtechnique]] +id = "T1069.002" +name = "Domain Groups" +reference = "https://attack.mitre.org/techniques/T1069/002/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_posh_generic.toml b/rules_building_block/discovery_posh_generic.toml index d25af55f2..f6b290675 100644 --- a/rules_building_block/discovery_posh_generic.toml +++ b/rules_building_block/discovery_posh_generic.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/06" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -201,6 +201,7 @@ value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Prot [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1007" name = "System Service Discovery" @@ -211,6 +212,11 @@ id = "T1012" name = "Query Registry" reference = "https://attack.mitre.org/techniques/T1012/" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique]] id = "T1049" name = "System Network Connections Discovery" @@ -222,9 +228,19 @@ name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" [[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + +[[rule.threat.technique.subtechnique]] +id = "T1069.001" +name = "Local Groups" +reference = "https://attack.mitre.org/techniques/T1069/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1069.002" +name = "Domain Groups" +reference = "https://attack.mitre.org/techniques/T1069/002/" [[rule.threat.technique]] id = "T1082" @@ -240,6 +256,7 @@ reference = "https://attack.mitre.org/techniques/T1083/" id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" @@ -250,7 +267,6 @@ id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" - [[rule.threat.technique]] id = "T1135" name = "Network Share Discovery" @@ -270,37 +286,36 @@ reference = "https://attack.mitre.org/techniques/T1482/" id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" + [[rule.threat.technique.subtechnique]] id = "T1518.001" name = "Security Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/001/" - [[rule.threat.technique]] id = "T1615" name = "Group Policy Discovery" reference = "https://attack.mitre.org/techniques/T1615/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/discovery_posh_password_policy.toml b/rules_building_block/discovery_posh_password_policy.toml index fe12f7397..c0d2b23ed 100644 --- a/rules_building_block/discovery_posh_password_policy.toml +++ b/rules_building_block/discovery_posh_password_policy.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/12" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -142,34 +142,52 @@ not user.id : "S-1-5-18" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1201" name = "Password Policy Discovery" reference = "https://attack.mitre.org/techniques/T1201/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.006" +name = "Group Policy Preferences" +reference = "https://attack.mitre.org/techniques/T1552/006/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules_building_block/discovery_potential_memory_seeking_activity.toml b/rules_building_block/discovery_potential_memory_seeking_activity.toml index 1296b7919..2640548bf 100644 --- a/rules_building_block/discovery_potential_memory_seeking_activity.toml +++ b/rules_building_block/discovery_potential_memory_seeking_activity.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2024/02/01" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -70,3 +70,16 @@ reference = "https://attack.mitre.org/techniques/T1057/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules_building_block/discovery_remote_system_discovery_commands_windows.toml b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml index 49272de50..8244aa006 100644 --- a/rules_building_block/discovery_remote_system_discovery_commands_windows.toml +++ b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2020/12/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -93,6 +93,7 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" @@ -103,9 +104,17 @@ id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + +[[rule.threat.technique.subtechnique]] +id = "T1069.002" +name = "Domain Groups" +reference = "https://attack.mitre.org/techniques/T1069/002/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_system_network_connections.toml b/rules_building_block/discovery_system_network_connections.toml index b226cb4c1..0493b2592 100644 --- a/rules_building_block/discovery_system_network_connections.toml +++ b/rules_building_block/discovery_system_network_connections.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/11" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -45,6 +45,11 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique]] id = "T1049" name = "System Network Connections Discovery" @@ -54,7 +59,6 @@ reference = "https://attack.mitre.org/techniques/T1049/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.new_terms] field = "new_terms_fields" value = ["process.parent.executable", "process.command_line", "host.id"] diff --git a/rules_building_block/discovery_system_service_discovery.toml b/rules_building_block/discovery_system_service_discovery.toml index 4810cc175..335cba1ca 100644 --- a/rules_building_block/discovery_system_service_discovery.toml +++ b/rules_building_block/discovery_system_service_discovery.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/01/24" integration = ["windows", "endpoint", "system"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -70,14 +70,23 @@ process where host.os.type == "windows" and event.type == "start" and process.pa [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1007" name = "System Service Discovery" reference = "https://attack.mitre.org/techniques/T1007/" +[[rule.threat.technique]] +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" + +[[rule.threat.technique]] +id = "T1135" +name = "Network Share Discovery" +reference = "https://attack.mitre.org/techniques/T1135/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_system_time_discovery.toml b/rules_building_block/discovery_system_time_discovery.toml index 4966907e2..10d34aea9 100644 --- a/rules_building_block/discovery_system_time_discovery.toml +++ b/rules_building_block/discovery_system_time_discovery.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/01/24" integration = ["windows", "endpoint", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -54,14 +54,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1124" name = "System Time Discovery" reference = "https://attack.mitre.org/techniques/T1124/" +[[rule.threat.technique]] +id = "T1614" +name = "System Location Discovery" +reference = "https://attack.mitre.org/techniques/T1614/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_win_network_connections.toml b/rules_building_block/discovery_win_network_connections.toml index dc1f9d257..96787e502 100644 --- a/rules_building_block/discovery_win_network_connections.toml +++ b/rules_building_block/discovery_win_network_connections.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/07/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -52,6 +52,12 @@ process where event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique]] id = "T1049" name = "System Network Connections Discovery" @@ -62,9 +68,12 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_windows_system_information_discovery.toml b/rules_building_block/discovery_windows_system_information_discovery.toml index c2deaf422..a1f44fc19 100644 --- a/rules_building_block/discovery_windows_system_information_discovery.toml +++ b/rules_building_block/discovery_windows_system_information_discovery.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/07/06" integration = ["windows", "endpoint", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -62,14 +62,36 @@ process.parent.executable : ( [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules_building_block/execution_github_new_event_action_for_pat.toml b/rules_building_block/execution_github_new_event_action_for_pat.toml index 481941c12..948e55f7d 100644 --- a/rules_building_block/execution_github_new_event_action_for_pat.toml +++ b/rules_building_block/execution_github_new_event_action_for_pat.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -37,17 +37,52 @@ github.programmatic_access_type:("OAuth access token" or "Fine-grained personal [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1648" name = "Serverless Execution" reference = "https://attack.mitre.org/techniques/T1648/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["github.hashed_token", "event.action"] diff --git a/rules_building_block/execution_github_new_repo_interaction_for_pat.toml b/rules_building_block/execution_github_new_repo_interaction_for_pat.toml index cb75d586d..a8e01f3fe 100644 --- a/rules_building_block/execution_github_new_repo_interaction_for_pat.toml +++ b/rules_building_block/execution_github_new_repo_interaction_for_pat.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -38,17 +38,34 @@ github.repository_public:false [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1648" name = "Serverless Execution" reference = "https://attack.mitre.org/techniques/T1648/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["github.hashed_token", "github.repo"] diff --git a/rules_building_block/execution_github_new_repo_interaction_for_user.toml b/rules_building_block/execution_github_new_repo_interaction_for_user.toml index ba867350a..896a0dcf8 100644 --- a/rules_building_block/execution_github_new_repo_interaction_for_user.toml +++ b/rules_building_block/execution_github_new_repo_interaction_for_user.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -37,17 +37,34 @@ github.repository_public:false [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1648" name = "Serverless Execution" reference = "https://attack.mitre.org/techniques/T1648/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[[rule.threat.technique.subtechnique]] +id = "T1213.003" +name = "Code Repositories" +reference = "https://attack.mitre.org/techniques/T1213/003/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.new_terms] field = "new_terms_fields" value = ["user.name", "github.repo"] diff --git a/rules_building_block/execution_github_repo_created.toml b/rules_building_block/execution_github_repo_created.toml index 0b5f2635d..a7e65405f 100644 --- a/rules_building_block/execution_github_repo_created.toml +++ b/rules_building_block/execution_github_repo_created.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -35,14 +35,31 @@ configuration where event.dataset == "github.audit" and event.action == "repo.cr [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1648" name = "Serverless Execution" reference = "https://attack.mitre.org/techniques/T1648/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1583" +name = "Acquire Infrastructure" +reference = "https://attack.mitre.org/techniques/T1583/" + +[[rule.threat.technique.subtechnique]] +id = "T1583.006" +name = "Web Services" +reference = "https://attack.mitre.org/techniques/T1583/006/" + +[rule.threat.tactic] +id = "TA0042" +name = "Resource Development" +reference = "https://attack.mitre.org/tactics/TA0042/" diff --git a/rules_building_block/execution_github_repo_interaction_from_new_ip.toml b/rules_building_block/execution_github_repo_interaction_from_new_ip.toml index 33a822c83..c048fbf59 100644 --- a/rules_building_block/execution_github_repo_interaction_from_new_ip.toml +++ b/rules_building_block/execution_github_repo_interaction_from_new_ip.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -37,17 +37,52 @@ github.repository_public:false [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1648" name = "Serverless Execution" reference = "https://attack.mitre.org/techniques/T1648/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[[rule.threat.technique.subtechnique]] +id = "T1213.003" +name = "Code Repositories" +reference = "https://attack.mitre.org/techniques/T1213/003/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["github.repo", "github.actor_ip"] diff --git a/rules_building_block/execution_linux_segfault.toml b/rules_building_block/execution_linux_segfault.toml index e1d006ca6..b62d4a8eb 100644 --- a/rules_building_block/execution_linux_segfault.toml +++ b/rules_building_block/execution_linux_segfault.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/26" integration = ["system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -58,8 +58,12 @@ host.os.type:linux and event.dataset:"system.syslog" and process.name:kernel and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/execution_settingcontent_ms_file_creation.toml b/rules_building_block/execution_settingcontent_ms_file_creation.toml index 1c0144646..b6b5b0846 100644 --- a/rules_building_block/execution_settingcontent_ms_file_creation.toml +++ b/rules_building_block/execution_settingcontent_ms_file_creation.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -46,36 +46,54 @@ file where host.os.type == "windows" and event.type == "creation" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" + [[rule.threat.technique.subtechnique]] id = "T1204.002" name = "Malicious File" reference = "https://attack.mitre.org/techniques/T1204/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules_building_block/execution_unsigned_service_executable.toml b/rules_building_block/execution_unsigned_service_executable.toml index 3a861c4ab..46bb49f00 100644 --- a/rules_building_block/execution_unsigned_service_executable.toml +++ b/rules_building_block/execution_unsigned_service_executable.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/07/14" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -42,39 +42,57 @@ not process.code_signature.status : (errorCode_endpoint* or "errorChaining") [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1569" name = "System Services" reference = "https://attack.mitre.org/techniques/T1569/" + [[rule.threat.technique.subtechnique]] id = "T1569.002" name = "Service Execution" reference = "https://attack.mitre.org/techniques/T1569/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "user.id"] diff --git a/rules_building_block/initial_access_aws_signin_token_created.toml b/rules_building_block/initial_access_aws_signin_token_created.toml index 2b8d3f7be..46967d381 100644 --- a/rules_building_block/initial_access_aws_signin_token_created.toml +++ b/rules_building_block/initial_access_aws_signin_token_created.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2025/10/09" integration = ["aws"] maturity = "production" -updated_date = "2025/10/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -52,22 +52,39 @@ event.dataset: "aws.cloudtrail" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules_building_block/initial_access_github_new_ip_address_for_pat.toml b/rules_building_block/initial_access_github_new_ip_address_for_pat.toml index b441c6147..472759c3b 100644 --- a/rules_building_block/initial_access_github_new_ip_address_for_pat.toml +++ b/rules_building_block/initial_access_github_new_ip_address_for_pat.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -37,22 +37,39 @@ github.programmatic_access_type:("OAuth access token" or "Fine-grained personal [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["github.hashed_token", "github.actor_ip"] diff --git a/rules_building_block/initial_access_github_new_user_agent_for_pat.toml b/rules_building_block/initial_access_github_new_user_agent_for_pat.toml index 8ec411ba6..a0eadada0 100644 --- a/rules_building_block/initial_access_github_new_user_agent_for_pat.toml +++ b/rules_building_block/initial_access_github_new_user_agent_for_pat.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -37,22 +37,39 @@ github.programmatic_access_type:("OAuth access token" or "Fine-grained personal [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["github.hashed_token", "github.user_agent"] diff --git a/rules_building_block/initial_access_microsoft_defender_threat_intelligence_signal.toml b/rules_building_block/initial_access_microsoft_defender_threat_intelligence_signal.toml index fc9e62e60..f08ca02aa 100644 --- a/rules_building_block/initial_access_microsoft_defender_threat_intelligence_signal.toml +++ b/rules_building_block/initial_access_microsoft_defender_threat_intelligence_signal.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2025/08/19" integration = ["o365"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -98,26 +98,46 @@ event.dataset: "o365.audit" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.001" +name = "Malicious Link" +reference = "https://attack.mitre.org/techniques/T1204/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/initial_access_microsoft_quarantine_hygiene_signal.toml b/rules_building_block/initial_access_microsoft_quarantine_hygiene_signal.toml index db599d22b..59d2b383c 100644 --- a/rules_building_block/initial_access_microsoft_quarantine_hygiene_signal.toml +++ b/rules_building_block/initial_access_microsoft_quarantine_hygiene_signal.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2026/02/20" integration = ["o365"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -52,11 +52,21 @@ event.dataset:o365.audit and event.code:(Quarantine or HygieneEvent or MailSubmi [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" [rule.threat.tactic] id = "TA0001" diff --git a/rules_building_block/initial_access_new_okta_authentication_behavior.toml b/rules_building_block/initial_access_new_okta_authentication_behavior.toml index 3333bc42b..30cd77e12 100644 --- a/rules_building_block/initial_access_new_okta_authentication_behavior.toml +++ b/rules_building_block/initial_access_new_okta_authentication_behavior.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2026/01/08" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -76,8 +76,17 @@ event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:* [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules_building_block/initial_access_okta_admin_console_login_failure.toml b/rules_building_block/initial_access_okta_admin_console_login_failure.toml index 38c577a21..212cbbd12 100644 --- a/rules_building_block/initial_access_okta_admin_console_login_failure.toml +++ b/rules_building_block/initial_access_okta_admin_console_login_failure.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2026/02/03" integration = ["okta"] maturity = "production" -updated_date = "2026/02/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,26 +81,31 @@ event.dataset: "okta.system" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules_building_block/lateral_movement_posh_winrm_activity.toml b/rules_building_block/lateral_movement_posh_winrm_activity.toml index 444d49ece..7021ddb7a 100644 --- a/rules_building_block/lateral_movement_posh_winrm_activity.toml +++ b/rules_building_block/lateral_movement_posh_winrm_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/12" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,36 +83,41 @@ case_insensitive = true value = "?:\\\\ExchangeServer\\\\bin*" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.006" name = "Windows Remote Management" reference = "https://attack.mitre.org/techniques/T1021/006/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml b/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml index dbc9fce69..880890a76 100644 --- a/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml +++ b/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,31 +78,57 @@ process where event.type == "start" and host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" + [[rule.threat.technique.subtechnique]] id = "T1505.001" name = "SQL Stored Procedures" reference = "https://attack.mitre.org/techniques/T1505/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules_building_block/lateral_movement_wmic_remote.toml b/rules_building_block/lateral_movement_wmic_remote.toml index 75ac81fc7..aa4f14d91 100644 --- a/rules_building_block/lateral_movement_wmic_remote.toml +++ b/rules_building_block/lateral_movement_wmic_remote.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/24" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -51,31 +51,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.003" +name = "Distributed Component Object Model" +reference = "https://attack.mitre.org/techniques/T1021/003/" + [[rule.threat.technique.subtechnique]] id = "T1021.006" name = "Windows Remote Management" reference = "https://attack.mitre.org/techniques/T1021/006/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml b/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml index f4aaaef46..aa24f2026 100644 --- a/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml +++ b/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2024/04/30" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -43,29 +43,33 @@ event.dataset: aws.cloudtrail and event.provider: "iam.amazonaws.com" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules_building_block/persistence_github_new_pat_for_user.toml b/rules_building_block/persistence_github_new_pat_for_user.toml index a65b01281..88157c22d 100644 --- a/rules_building_block/persistence_github_new_pat_for_user.toml +++ b/rules_building_block/persistence_github_new_pat_for_user.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -37,22 +37,39 @@ github.programmatic_access_type:("OAuth access token" or "Fine-grained personal [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["user.name", "github.hashed_token"] diff --git a/rules_building_block/persistence_github_new_user_added_to_organization.toml b/rules_building_block/persistence_github_new_user_added_to_organization.toml index ebf6de672..fbad7c11c 100644 --- a/rules_building_block/persistence_github_new_user_added_to_organization.toml +++ b/rules_building_block/persistence_github_new_user_added_to_organization.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -35,19 +35,23 @@ configuration where event.dataset == "github.audit" and event.action == "org.add [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules_building_block/persistence_web_server_potential_sql_injection.toml b/rules_building_block/persistence_web_server_potential_sql_injection.toml index a6611cbeb..43f2275ad 100644 --- a/rules_building_block/persistence_web_server_potential_sql_injection.toml +++ b/rules_building_block/persistence_web_server_potential_sql_injection.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2025/11/19" integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" -updated_date = "2026/03/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -124,3 +124,16 @@ reference = "https://attack.mitre.org/techniques/T1595/003/" id = "TA0043" name = "Reconnaissance" reference = "https://attack.mitre.org/tactics/TA0043/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules_building_block/persistence_web_server_sus_file_creation.toml b/rules_building_block/persistence_web_server_sus_file_creation.toml index 3141a9913..e004c973f 100644 --- a/rules_building_block/persistence_web_server_sus_file_creation.toml +++ b/rules_building_block/persistence_web_server_sus_file_creation.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2025/03/06" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -160,3 +160,16 @@ reference = "https://attack.mitre.org/techniques/T1071/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules_building_block/privilege_escalation_sts_getsessiontoken_abuse.toml b/rules_building_block/privilege_escalation_sts_getsessiontoken_abuse.toml index 39bc5a78d..9a83403a8 100644 --- a/rules_building_block/privilege_escalation_sts_getsessiontoken_abuse.toml +++ b/rules_building_block/privilege_escalation_sts_getsessiontoken_abuse.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2021/05/17" integration = ["aws"] maturity = "production" -updated_date = "2025/11/03" +updated_date = "2026/03/24" [rule] author = ["Austin Songer", "Elastic"] @@ -92,34 +92,52 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp",