diff --git a/etc/version.lock.json b/etc/version.lock.json index ef62ff9a8..13badbd1b 100644 --- a/etc/version.lock.json +++ b/etc/version.lock.json @@ -76,8 +76,8 @@ }, "0a97b20f-4144-49ea-be32-b540ecc445de": { "rule_name": "Malware - Detected - Endpoint Security", - "sha256": "d4b0108faa80fc35468cc5cfbbaf48b4db4dad7d1373cf48388752568eb83c98", - "version": 5 + "sha256": "adcd895329cc4d1c41bc4bf8b75404c838823731713fa11f3d3b671dd24cc31d", + "version": 4 }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { "rule_name": "Anomalous Windows Process Creation", @@ -296,8 +296,8 @@ }, "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": { "rule_name": "Exploit - Detected - Endpoint Security", - "sha256": "81850f386eb8a302e85e9d36c472f159c4db6f7df7068bd0657b7a4bed6687b4", - "version": 5 + "sha256": "83322d535ddc84dec40b7a90e9738726df2bd27ac3cdf96e7b9ebd967560bd25", + "version": 4 }, "201200f1-a99b-43fb-88ed-f65a45c4972c": { "rule_name": "Suspicious .NET Code Compilation", @@ -371,8 +371,8 @@ }, "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { "rule_name": "Exploit - Prevented - Endpoint Security", - "sha256": "8025e0d14b4ac2c3698276722c6310fd134681c4f71ee1f624681aae18e7940b", - "version": 5 + "sha256": "4a04fd5b4099a19a093d301762f68352221eca036db21c9b9b2e388dc5c56a9e", + "version": 4 }, "28896382-7d4f-4d50-9b72-67091901fd26": { "rule_name": "Suspicious Process from Conhost", @@ -541,8 +541,8 @@ }, "3b382770-efbb-44f4-beed-f5e0a051b895": { "rule_name": "Malware - Prevented - Endpoint Security", - "sha256": "11be6e8247af54541336c5e12c8a3423afd6884940d4b7f50160abb215a2337b", - "version": 5 + "sha256": "49bf69bac026013bdfd88dbb0ebbf5f2cf01d0bcc8dbdc00d760cc4c1ecf6daf", + "version": 4 }, "3b47900d-e793-49e8-968f-c90dc3526aa1": { "rule_name": "Unusual Parent Process for cmd.exe", @@ -606,8 +606,8 @@ }, "453f659e-0429-40b1-bfdb-b6957286e04b": { "rule_name": "Permission Theft - Prevented - Endpoint Security", - "sha256": "abc8e7c3bcc3a15d3c3f0f751333d1273f45b2d2fec6908c64af0132f529c07d", - "version": 5 + "sha256": "de91fb70ece5386bf2fe4d065f50aa219516eff015f22534b5cd1b69064fe002", + "version": 4 }, "45d273fb-1dca-457d-9855-bcb302180c21": { "rule_name": "Encrypting Files with WinRar or 7z", @@ -751,8 +751,8 @@ }, "571afc56-5ed9-465d-a2a9-045f099f6e7e": { "rule_name": "Credential Dumping - Detected - Endpoint Security", - "sha256": "26fa244a5b78452aa61775e3ee2894c6b1bd109cef9c2af649e4dc372ccb5820", - "version": 5 + "sha256": "bdc750ae44da6954d429af1c78db084f915fe63db463a2e084107bd4b7725a73", + "version": 4 }, "581add16-df76-42bb-af8e-c979bfb39a59": { "rule_name": "Deleting Backup Catalogs with Wbadmin", @@ -1046,8 +1046,8 @@ }, "77a3c3df-8ec4-4da4-b758-878f551dee69": { "rule_name": "Adversary Behavior - Detected - Endpoint Security", - "sha256": "feb872802e7782ee07c3ce2339461810c274ee659c348fc97732f92049821215", - "version": 5 + "sha256": "60af511ccd3ed511fec254c879279d5090ca084efa9c11bc4fb01690450b7180", + "version": 4 }, "785a404b-75aa-4ffd-8be5-3334a5a544dd": { "rule_name": "Application Added to Google Workspace Domain", @@ -1111,8 +1111,8 @@ }, "80c52164-c82a-402c-9964-852533d58be1": { "rule_name": "Process Injection - Detected - Endpoint Security", - "sha256": "4f1de68d87322c3c6461f6185af8a92e1a0bf4c9cf15482acb0d5fc54aee9ad2", - "version": 5 + "sha256": "126b716fe963842ff8406842f8a101953a04e7e9f167e578094712fa6b006b00", + "version": 4 }, "81cc58f5-8062-49a2-ba84-5cc4b4d31c40": { "rule_name": "Persistence via Kernel Module Modification", @@ -1186,8 +1186,8 @@ }, "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": { "rule_name": "Ransomware - Detected - Endpoint Security", - "sha256": "cc1ace9a3ad8ce73ec1f8770f4e28eeff0ef3cd0a16c05667446e6b3245ead12", - "version": 5 + "sha256": "afa86e4d621fd2e511406e86b4ae9c07348c4471320a9ef65b26e0643c34e133", + "version": 4 }, "8ddab73b-3d15-4e5d-9413-47f05553c1d7": { "rule_name": "Azure Automation Runbook Deleted", @@ -1321,8 +1321,8 @@ }, "990838aa-a953-4f3e-b3cb-6ddf7584de9e": { "rule_name": "Process Injection - Prevented - Endpoint Security", - "sha256": "022423bc49a60ec9e5e498ebbcb53aefd560e79e0b2f3a0d1ab3b523a69c413b", - "version": 5 + "sha256": "92c674029d3c058f18ec3fafbf91a3c2443023a6a18db9c3118cbf6d4138388d", + "version": 4 }, "9a1a2dae-0b5f-4c3d-8305-a268d404c306": { "rule_name": "Endpoint Security", @@ -1711,8 +1711,8 @@ }, "c0be5f31-e180-48ed-aa08-96b36899d48f": { "rule_name": "Credential Manipulation - Detected - Endpoint Security", - "sha256": "8cc4996c8b4f2215ed4f55e655ee2885255470bc1a1ad5b9ca9ddca5b67d360b", - "version": 5 + "sha256": "3e27a7e7fda1be83a083f51ec320e2c49e41a3048660137a7d551e30b8c997c3", + "version": 4 }, "c25e9c87-95e1-4368-bfab-9fd34cf867ec": { "rule_name": "Microsoft IIS Connection Strings Decryption", @@ -1736,8 +1736,8 @@ }, "c3167e1b-f73c-41be-b60b-87f4df707fe3": { "rule_name": "Permission Theft - Detected - Endpoint Security", - "sha256": "01ef32f083b0567b88de07eb3e0d12f44d921b856a867438182a18a915ce6df9", - "version": 5 + "sha256": "7b185258dbbaa2a9837362d5bb5f7551cfdf689ccbd0119140c1155c581dd80c", + "version": 4 }, "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": { "rule_name": "Mounting Hidden or WebDav Remote Shares", @@ -1801,8 +1801,8 @@ }, "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { "rule_name": "Credential Manipulation - Prevented - Endpoint Security", - "sha256": "5e44b1db0cda0ab4d0164d299c3ab1d19040ef76742cc689a565a1f1d05f419a", - "version": 5 + "sha256": "0734e9a063c5bbf35c5b4b73c95544f1399e648c12d6396698015de1d5d392ef", + "version": 4 }, "ca79768e-40e1-4e45-a097-0e5fbc876ac2": { "rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification", @@ -1981,8 +1981,8 @@ }, "db8c33a8-03cd-4988-9e2c-d0a4863adb13": { "rule_name": "Credential Dumping - Prevented - Endpoint Security", - "sha256": "d2cc502d59bfbd70f4141daac53c9d1b5f4bc02cfab59c4332124854a1d87ec2", - "version": 5 + "sha256": "ce8fd451c2c3bc3c5f9b35f212dc0b75348bb07d1c1c4c1559e575150874345f", + "version": 4 }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { "rule_name": "Volume Shadow Copy Deletion via WMIC", @@ -2066,8 +2066,8 @@ }, "e3c5d5cb-41d5-4206-805c-f30561eae3ac": { "rule_name": "Ransomware - Prevented - Endpoint Security", - "sha256": "3eaf582284975d232f4419f32b8f6e2b383e7c68328a779e7da46c7feebbccb1", - "version": 5 + "sha256": "911ba16663efb30078217f771edbd6e7356f869662483fac274b09c8097580cb", + "version": 4 }, "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": { "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", diff --git a/rules/apm/apm_403_response_to_a_post.toml b/rules/apm/apm_403_response_to_a_post.toml index d26b582a7..2f7ee47e6 100644 --- a/rules/apm/apm_403_response_to_a_post.toml +++ b/rules/apm/apm_403_response_to_a_post.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/apm/apm_405_response_method_not_allowed.toml b/rules/apm/apm_405_response_method_not_allowed.toml index 21b8963de..d5e62fbc4 100644 --- a/rules/apm/apm_405_response_method_not_allowed.toml +++ b/rules/apm/apm_405_response_method_not_allowed.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/apm/apm_null_user_agent.toml b/rules/apm/apm_null_user_agent.toml index 8321e246b..8afec8188 100644 --- a/rules/apm/apm_null_user_agent.toml +++ b/rules/apm/apm_null_user_agent.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/apm/apm_sqlmap_user_agent.toml b/rules/apm/apm_sqlmap_user_agent.toml index decadc32e..630178522 100644 --- a/rules/apm/apm_sqlmap_user_agent.toml +++ b/rules/apm/apm_sqlmap_user_agent.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/aws/collection_cloudtrail_logging_created.toml b/rules/aws/collection_cloudtrail_logging_created.toml index 6f81d0ac3..9da2ea84f 100644 --- a/rules/aws/collection_cloudtrail_logging_created.toml +++ b/rules/aws/collection_cloudtrail_logging_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/10" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/aws/credential_access_iam_user_addition_to_group.toml b/rules/aws/credential_access_iam_user_addition_to_group.toml index ad85cfcc7..f74b6b52a 100644 --- a/rules/aws/credential_access_iam_user_addition_to_group.toml +++ b/rules/aws/credential_access_iam_user_addition_to_group.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/04" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/aws/credential_access_secretsmanager_getsecretvalue.toml b/rules/aws/credential_access_secretsmanager_getsecretvalue.toml index b5b22dd2b..36af18b95 100644 --- a/rules/aws/credential_access_secretsmanager_getsecretvalue.toml +++ b/rules/aws/credential_access_secretsmanager_getsecretvalue.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Nick Jones", "Elastic"] diff --git a/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml index 446d04f53..b23e79319 100644 --- a/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/26" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml index 626dcaaae..9d9591d68 100644 --- a/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml +++ b/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/10" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml b/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml index 52c807fb2..6f909426e 100644 --- a/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml +++ b/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/15" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/aws/defense_evasion_config_service_rule_deletion.toml b/rules/aws/defense_evasion_config_service_rule_deletion.toml index 13bfcdb78..c78159701 100644 --- a/rules/aws/defense_evasion_config_service_rule_deletion.toml +++ b/rules/aws/defense_evasion_config_service_rule_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/26" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/aws/defense_evasion_configuration_recorder_stopped.toml b/rules/aws/defense_evasion_configuration_recorder_stopped.toml index fe80eaf68..88a527123 100644 --- a/rules/aws/defense_evasion_configuration_recorder_stopped.toml +++ b/rules/aws/defense_evasion_configuration_recorder_stopped.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/16" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/aws/defense_evasion_ec2_flow_log_deletion.toml b/rules/aws/defense_evasion_ec2_flow_log_deletion.toml index 6a17d2849..eb68d0a95 100644 --- a/rules/aws/defense_evasion_ec2_flow_log_deletion.toml +++ b/rules/aws/defense_evasion_ec2_flow_log_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/15" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/aws/defense_evasion_ec2_network_acl_deletion.toml b/rules/aws/defense_evasion_ec2_network_acl_deletion.toml index 574e1c296..3e6e714ee 100644 --- a/rules/aws/defense_evasion_ec2_network_acl_deletion.toml +++ b/rules/aws/defense_evasion_ec2_network_acl_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/26" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/aws/defense_evasion_guardduty_detector_deletion.toml b/rules/aws/defense_evasion_guardduty_detector_deletion.toml index 5a51ffdf7..eef349875 100644 --- a/rules/aws/defense_evasion_guardduty_detector_deletion.toml +++ b/rules/aws/defense_evasion_guardduty_detector_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/28" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml index 788e141ce..272b3735f 100644 --- a/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml +++ b/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/27" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/aws/defense_evasion_waf_acl_deletion.toml b/rules/aws/defense_evasion_waf_acl_deletion.toml index 6e595b8b9..67022ac20 100644 --- a/rules/aws/defense_evasion_waf_acl_deletion.toml +++ b/rules/aws/defense_evasion_waf_acl_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml b/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml index 4e1b4f9ef..377e8d445 100644 --- a/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml +++ b/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/09" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/aws/exfiltration_ec2_snapshot_change_activity.toml b/rules/aws/exfiltration_ec2_snapshot_change_activity.toml index 30f0cad0b..9065017eb 100644 --- a/rules/aws/exfiltration_ec2_snapshot_change_activity.toml +++ b/rules/aws/exfiltration_ec2_snapshot_change_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/24" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/aws/impact_cloudtrail_logging_updated.toml b/rules/aws/impact_cloudtrail_logging_updated.toml index 3202c12f8..ef5749fa5 100644 --- a/rules/aws/impact_cloudtrail_logging_updated.toml +++ b/rules/aws/impact_cloudtrail_logging_updated.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/10" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/aws/impact_cloudwatch_log_group_deletion.toml b/rules/aws/impact_cloudwatch_log_group_deletion.toml index e468d89c0..76b3849c2 100644 --- a/rules/aws/impact_cloudwatch_log_group_deletion.toml +++ b/rules/aws/impact_cloudwatch_log_group_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/aws/impact_cloudwatch_log_stream_deletion.toml index 8259b8b02..3e0487546 100644 --- a/rules/aws/impact_cloudwatch_log_stream_deletion.toml +++ b/rules/aws/impact_cloudwatch_log_stream_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/20" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/aws/impact_ec2_disable_ebs_encryption.toml b/rules/aws/impact_ec2_disable_ebs_encryption.toml index dd7b5ff7a..164d65f07 100644 --- a/rules/aws/impact_ec2_disable_ebs_encryption.toml +++ b/rules/aws/impact_ec2_disable_ebs_encryption.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/05" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/aws/impact_iam_deactivate_mfa_device.toml b/rules/aws/impact_iam_deactivate_mfa_device.toml index 20aed374f..120912365 100644 --- a/rules/aws/impact_iam_deactivate_mfa_device.toml +++ b/rules/aws/impact_iam_deactivate_mfa_device.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/26" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/aws/impact_iam_group_deletion.toml b/rules/aws/impact_iam_group_deletion.toml index 058c21710..86ead91d7 100644 --- a/rules/aws/impact_iam_group_deletion.toml +++ b/rules/aws/impact_iam_group_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/aws/impact_rds_cluster_deletion.toml b/rules/aws/impact_rds_cluster_deletion.toml index f2070e714..a70f3c5f8 100644 --- a/rules/aws/impact_rds_cluster_deletion.toml +++ b/rules/aws/impact_rds_cluster_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/aws/impact_rds_instance_cluster_stoppage.toml b/rules/aws/impact_rds_instance_cluster_stoppage.toml index da5adf0a4..35ecad5ca 100644 --- a/rules/aws/impact_rds_instance_cluster_stoppage.toml +++ b/rules/aws/impact_rds_instance_cluster_stoppage.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/20" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/aws/initial_access_console_login_root.toml b/rules/aws/initial_access_console_login_root.toml index b422e4591..b7be52fbf 100644 --- a/rules/aws/initial_access_console_login_root.toml +++ b/rules/aws/initial_access_console_login_root.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/11" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/aws/initial_access_password_recovery.toml b/rules/aws/initial_access_password_recovery.toml index d29d83304..4132af1c9 100644 --- a/rules/aws/initial_access_password_recovery.toml +++ b/rules/aws/initial_access_password_recovery.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/02" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/aws/initial_access_via_system_manager.toml b/rules/aws/initial_access_via_system_manager.toml index e0c1b37a7..234c296d0 100644 --- a/rules/aws/initial_access_via_system_manager.toml +++ b/rules/aws/initial_access_via_system_manager.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/aws/persistence_ec2_network_acl_creation.toml b/rules/aws/persistence_ec2_network_acl_creation.toml index e070472e6..b04207e36 100644 --- a/rules/aws/persistence_ec2_network_acl_creation.toml +++ b/rules/aws/persistence_ec2_network_acl_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/04" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/aws/persistence_iam_group_creation.toml b/rules/aws/persistence_iam_group_creation.toml index 03a265b93..ad208b8a5 100644 --- a/rules/aws/persistence_iam_group_creation.toml +++ b/rules/aws/persistence_iam_group_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/05" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/aws/persistence_rds_cluster_creation.toml b/rules/aws/persistence_rds_cluster_creation.toml index 2cb50c55c..65c70ecbe 100644 --- a/rules/aws/persistence_rds_cluster_creation.toml +++ b/rules/aws/persistence_rds_cluster_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/20" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/aws/privilege_escalation_root_login_without_mfa.toml b/rules/aws/privilege_escalation_root_login_without_mfa.toml index 94777d022..9343b0a20 100644 --- a/rules/aws/privilege_escalation_root_login_without_mfa.toml +++ b/rules/aws/privilege_escalation_root_login_without_mfa.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/aws/privilege_escalation_updateassumerolepolicy.toml b/rules/aws/privilege_escalation_updateassumerolepolicy.toml index a7804be7f..15fc18844 100644 --- a/rules/aws/privilege_escalation_updateassumerolepolicy.toml +++ b/rules/aws/privilege_escalation_updateassumerolepolicy.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/azure/collection_update_event_hub_auth_rule.toml b/rules/azure/collection_update_event_hub_auth_rule.toml index be094e474..eb12e6dd9 100644 --- a/rules/azure/collection_update_event_hub_auth_rule.toml +++ b/rules/azure/collection_update_event_hub_auth_rule.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/azure/credential_access_key_vault_modified.toml b/rules/azure/credential_access_key_vault_modified.toml index 2cde4a12e..a7158fa7e 100644 --- a/rules/azure/credential_access_key_vault_modified.toml +++ b/rules/azure/credential_access_key_vault_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/31" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/azure/credential_access_storage_account_key_regenerated.toml b/rules/azure/credential_access_storage_account_key_regenerated.toml index 814482dd1..56d9f7e30 100644 --- a/rules/azure/credential_access_storage_account_key_regenerated.toml +++ b/rules/azure/credential_access_storage_account_key_regenerated.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/19" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/azure/defense_evasion_azure_application_credential_modification.toml b/rules/azure/defense_evasion_azure_application_credential_modification.toml index 942b3f955..8dff11176 100644 --- a/rules/azure/defense_evasion_azure_application_credential_modification.toml +++ b/rules/azure/defense_evasion_azure_application_credential_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/azure/defense_evasion_azure_diagnostic_settings_deletion.toml b/rules/azure/defense_evasion_azure_diagnostic_settings_deletion.toml index 13d980cf7..b4721e635 100644 --- a/rules/azure/defense_evasion_azure_diagnostic_settings_deletion.toml +++ b/rules/azure/defense_evasion_azure_diagnostic_settings_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/azure/defense_evasion_azure_service_principal_addition.toml b/rules/azure/defense_evasion_azure_service_principal_addition.toml index bcba85029..300e08378 100644 --- a/rules/azure/defense_evasion_azure_service_principal_addition.toml +++ b/rules/azure/defense_evasion_azure_service_principal_addition.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/azure/defense_evasion_event_hub_deletion.toml b/rules/azure/defense_evasion_event_hub_deletion.toml index 19707521d..547488246 100644 --- a/rules/azure/defense_evasion_event_hub_deletion.toml +++ b/rules/azure/defense_evasion_event_hub_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/azure/defense_evasion_firewall_policy_deletion.toml b/rules/azure/defense_evasion_firewall_policy_deletion.toml index 6cda40df3..463316d10 100644 --- a/rules/azure/defense_evasion_firewall_policy_deletion.toml +++ b/rules/azure/defense_evasion_firewall_policy_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/azure/defense_evasion_network_watcher_deletion.toml b/rules/azure/defense_evasion_network_watcher_deletion.toml index f7abb2626..400802c68 100644 --- a/rules/azure/defense_evasion_network_watcher_deletion.toml +++ b/rules/azure/defense_evasion_network_watcher_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/31" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/azure/discovery_blob_container_access_mod.toml b/rules/azure/discovery_blob_container_access_mod.toml index 9f3529e2f..dd9985506 100644 --- a/rules/azure/discovery_blob_container_access_mod.toml +++ b/rules/azure/discovery_blob_container_access_mod.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/20" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/azure/execution_command_virtual_machine.toml b/rules/azure/execution_command_virtual_machine.toml index 399bfd6ab..880e01760 100644 --- a/rules/azure/execution_command_virtual_machine.toml +++ b/rules/azure/execution_command_virtual_machine.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/azure/impact_azure_automation_runbook_deleted.toml b/rules/azure/impact_azure_automation_runbook_deleted.toml index af5165f43..75c0859d1 100644 --- a/rules/azure/impact_azure_automation_runbook_deleted.toml +++ b/rules/azure/impact_azure_automation_runbook_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/azure/impact_resource_group_deletion.toml b/rules/azure/impact_resource_group_deletion.toml index b471eae0b..716d04e2a 100644 --- a/rules/azure/impact_resource_group_deletion.toml +++ b/rules/azure/impact_resource_group_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/azure/initial_access_azure_active_directory_powershell_signin.toml b/rules/azure/initial_access_azure_active_directory_powershell_signin.toml index d12105012..8afbbc0f1 100644 --- a/rules/azure/initial_access_azure_active_directory_powershell_signin.toml +++ b/rules/azure/initial_access_azure_active_directory_powershell_signin.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml b/rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml index 8f509e006..745d27ec3 100644 --- a/rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml +++ b/rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/azure/initial_access_external_guest_user_invite.toml b/rules/azure/initial_access_external_guest_user_invite.toml index 160834dc7..24d242249 100644 --- a/rules/azure/initial_access_external_guest_user_invite.toml +++ b/rules/azure/initial_access_external_guest_user_invite.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/31" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/azure/persistence_azure_automation_account_created.toml b/rules/azure/persistence_azure_automation_account_created.toml index d318ce534..97c638594 100644 --- a/rules/azure/persistence_azure_automation_account_created.toml +++ b/rules/azure/persistence_azure_automation_account_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/azure/persistence_azure_automation_runbook_created_or_modified.toml b/rules/azure/persistence_azure_automation_runbook_created_or_modified.toml index 806f4eacb..2e53389f1 100644 --- a/rules/azure/persistence_azure_automation_runbook_created_or_modified.toml +++ b/rules/azure/persistence_azure_automation_runbook_created_or_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/azure/persistence_azure_automation_webhook_created.toml b/rules/azure/persistence_azure_automation_webhook_created.toml index b0a6852e2..3245d127b 100644 --- a/rules/azure/persistence_azure_automation_webhook_created.toml +++ b/rules/azure/persistence_azure_automation_webhook_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/azure/persistence_azure_conditional_access_policy_modified.toml b/rules/azure/persistence_azure_conditional_access_policy_modified.toml index 2fffd7d23..5b0770938 100644 --- a/rules/azure/persistence_azure_conditional_access_policy_modified.toml +++ b/rules/azure/persistence_azure_conditional_access_policy_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/azure/persistence_azure_pim_user_added_global_admin.toml b/rules/azure/persistence_azure_pim_user_added_global_admin.toml index 7c8617270..2c001fdbf 100644 --- a/rules/azure/persistence_azure_pim_user_added_global_admin.toml +++ b/rules/azure/persistence_azure_pim_user_added_global_admin.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/24" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/azure/persistence_azure_privileged_identity_management_role_modified.toml b/rules/azure/persistence_azure_privileged_identity_management_role_modified.toml index cbb8a28d3..8db1b6a44 100644 --- a/rules/azure/persistence_azure_privileged_identity_management_role_modified.toml +++ b/rules/azure/persistence_azure_privileged_identity_management_role_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/azure/persistence_mfa_disabled_for_azure_user.toml b/rules/azure/persistence_mfa_disabled_for_azure_user.toml index c383578ef..6f1049aa9 100644 --- a/rules/azure/persistence_mfa_disabled_for_azure_user.toml +++ b/rules/azure/persistence_mfa_disabled_for_azure_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/20" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/azure/persistence_user_added_as_owner_for_azure_application.toml b/rules/azure/persistence_user_added_as_owner_for_azure_application.toml index 3ea446dc4..515db430c 100644 --- a/rules/azure/persistence_user_added_as_owner_for_azure_application.toml +++ b/rules/azure/persistence_user_added_as_owner_for_azure_application.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/20" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/azure/persistence_user_added_as_owner_for_azure_service_principal.toml b/rules/azure/persistence_user_added_as_owner_for_azure_service_principal.toml index 432c50f49..5924e4569 100644 --- a/rules/azure/persistence_user_added_as_owner_for_azure_service_principal.toml +++ b/rules/azure/persistence_user_added_as_owner_for_azure_service_principal.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/20" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml index 37cc57f8d..1705cafa1 100644 --- a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml +++ b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/impact_hosts_file_modified.toml b/rules/cross-platform/impact_hosts_file_modified.toml index 612483748..fbad06b89 100644 --- a/rules/cross-platform/impact_hosts_file_modified.toml +++ b/rules/cross-platform/impact_hosts_file_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/07" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml index 439c83489..b3c4e9636 100644 --- a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml +++ b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/14" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/gcp/collection_gcp_pub_sub_subscription_creation.toml b/rules/gcp/collection_gcp_pub_sub_subscription_creation.toml index 7af4ca145..364dc3446 100644 --- a/rules/gcp/collection_gcp_pub_sub_subscription_creation.toml +++ b/rules/gcp/collection_gcp_pub_sub_subscription_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/23" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/gcp/collection_gcp_pub_sub_topic_creation.toml b/rules/gcp/collection_gcp_pub_sub_topic_creation.toml index 060e383e0..a578dcb77 100644 --- a/rules/gcp/collection_gcp_pub_sub_topic_creation.toml +++ b/rules/gcp/collection_gcp_pub_sub_topic_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/23" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/gcp/defense_evasion_gcp_firewall_rule_created.toml b/rules/gcp/defense_evasion_gcp_firewall_rule_created.toml index c7d8419c7..99f9ffda4 100644 --- a/rules/gcp/defense_evasion_gcp_firewall_rule_created.toml +++ b/rules/gcp/defense_evasion_gcp_firewall_rule_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/gcp/defense_evasion_gcp_firewall_rule_deleted.toml b/rules/gcp/defense_evasion_gcp_firewall_rule_deleted.toml index eb825aa61..42d2d7d55 100644 --- a/rules/gcp/defense_evasion_gcp_firewall_rule_deleted.toml +++ b/rules/gcp/defense_evasion_gcp_firewall_rule_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/gcp/defense_evasion_gcp_firewall_rule_modified.toml b/rules/gcp/defense_evasion_gcp_firewall_rule_modified.toml index bac310fc9..cde5d9cc6 100644 --- a/rules/gcp/defense_evasion_gcp_firewall_rule_modified.toml +++ b/rules/gcp/defense_evasion_gcp_firewall_rule_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/gcp/defense_evasion_gcp_logging_bucket_deletion.toml b/rules/gcp/defense_evasion_gcp_logging_bucket_deletion.toml index 02a339a2b..a2e02e6cd 100644 --- a/rules/gcp/defense_evasion_gcp_logging_bucket_deletion.toml +++ b/rules/gcp/defense_evasion_gcp_logging_bucket_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/gcp/defense_evasion_gcp_logging_sink_deletion.toml b/rules/gcp/defense_evasion_gcp_logging_sink_deletion.toml index 0500cd270..c6f120c8c 100644 --- a/rules/gcp/defense_evasion_gcp_logging_sink_deletion.toml +++ b/rules/gcp/defense_evasion_gcp_logging_sink_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml b/rules/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml index 1dfdb4da8..b17b0d5dc 100644 --- a/rules/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml +++ b/rules/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/23" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml b/rules/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml index 24fa47539..a66a0cf3b 100644 --- a/rules/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml +++ b/rules/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml b/rules/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml index 8c5ae4795..4f020c777 100644 --- a/rules/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml +++ b/rules/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml b/rules/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml index ea0aff95d..25e101d64 100644 --- a/rules/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml +++ b/rules/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/gcp/exfiltration_gcp_logging_sink_modification.toml b/rules/gcp/exfiltration_gcp_logging_sink_modification.toml index b6f19d3fe..5cb16669b 100644 --- a/rules/gcp/exfiltration_gcp_logging_sink_modification.toml +++ b/rules/gcp/exfiltration_gcp_logging_sink_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/gcp/impact_gcp_iam_role_deletion.toml b/rules/gcp/impact_gcp_iam_role_deletion.toml index a154b0c81..287a46743 100644 --- a/rules/gcp/impact_gcp_iam_role_deletion.toml +++ b/rules/gcp/impact_gcp_iam_role_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/gcp/impact_gcp_service_account_deleted.toml b/rules/gcp/impact_gcp_service_account_deleted.toml index 56130f408..ad324d745 100644 --- a/rules/gcp/impact_gcp_service_account_deleted.toml +++ b/rules/gcp/impact_gcp_service_account_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/gcp/impact_gcp_service_account_disabled.toml b/rules/gcp/impact_gcp_service_account_disabled.toml index aaa767417..39e6ba0c0 100644 --- a/rules/gcp/impact_gcp_service_account_disabled.toml +++ b/rules/gcp/impact_gcp_service_account_disabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/gcp/impact_gcp_storage_bucket_deleted.toml b/rules/gcp/impact_gcp_storage_bucket_deleted.toml index 1b3746539..4d5922151 100644 --- a/rules/gcp/impact_gcp_storage_bucket_deleted.toml +++ b/rules/gcp/impact_gcp_storage_bucket_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml b/rules/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml index 67b612311..f870cfd0a 100644 --- a/rules/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml +++ b/rules/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/gcp/impact_gcp_virtual_private_cloud_route_created.toml b/rules/gcp/impact_gcp_virtual_private_cloud_route_created.toml index ab6a1af2b..5be9a2f5a 100644 --- a/rules/gcp/impact_gcp_virtual_private_cloud_route_created.toml +++ b/rules/gcp/impact_gcp_virtual_private_cloud_route_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml b/rules/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml index 8d662ee68..b53d0fdd6 100644 --- a/rules/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml +++ b/rules/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/gcp/initial_access_gcp_iam_custom_role_creation.toml b/rules/gcp/initial_access_gcp_iam_custom_role_creation.toml index e05e54a9c..5f0f07f4e 100644 --- a/rules/gcp/initial_access_gcp_iam_custom_role_creation.toml +++ b/rules/gcp/initial_access_gcp_iam_custom_role_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/gcp/persistence_gcp_iam_service_account_key_deletion.toml b/rules/gcp/persistence_gcp_iam_service_account_key_deletion.toml index 4f1f0183f..0ed1ab4f0 100644 --- a/rules/gcp/persistence_gcp_iam_service_account_key_deletion.toml +++ b/rules/gcp/persistence_gcp_iam_service_account_key_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/gcp/persistence_gcp_key_created_for_service_account.toml b/rules/gcp/persistence_gcp_key_created_for_service_account.toml index 1b76e3e30..5354563bd 100644 --- a/rules/gcp/persistence_gcp_key_created_for_service_account.toml +++ b/rules/gcp/persistence_gcp_key_created_for_service_account.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/gcp/persistence_gcp_service_account_created.toml b/rules/gcp/persistence_gcp_service_account_created.toml index 0dc4adc41..70e43f6eb 100644 --- a/rules/gcp/persistence_gcp_service_account_created.toml +++ b/rules/gcp/persistence_gcp_service_account_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/google-workspace/application_added_to_google_workspace_domain.toml b/rules/google-workspace/application_added_to_google_workspace_domain.toml index 6ee752354..b54283e68 100644 --- a/rules/google-workspace/application_added_to_google_workspace_domain.toml +++ b/rules/google-workspace/application_added_to_google_workspace_domain.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/google-workspace/domain_added_to_google_workspace_trusted_domains.toml b/rules/google-workspace/domain_added_to_google_workspace_trusted_domains.toml index e65ae58a8..c7463ee8c 100644 --- a/rules/google-workspace/domain_added_to_google_workspace_trusted_domains.toml +++ b/rules/google-workspace/domain_added_to_google_workspace_trusted_domains.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/google-workspace/google_workspace_admin_role_deletion.toml b/rules/google-workspace/google_workspace_admin_role_deletion.toml index 6fc5326a3..16c71a40b 100644 --- a/rules/google-workspace/google_workspace_admin_role_deletion.toml +++ b/rules/google-workspace/google_workspace_admin_role_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/google-workspace/google_workspace_mfa_enforcement_disabled.toml b/rules/google-workspace/google_workspace_mfa_enforcement_disabled.toml index e4afab6f0..acbb3e381 100644 --- a/rules/google-workspace/google_workspace_mfa_enforcement_disabled.toml +++ b/rules/google-workspace/google_workspace_mfa_enforcement_disabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/google-workspace/google_workspace_policy_modified.toml b/rules/google-workspace/google_workspace_policy_modified.toml index 7f5f299a5..c2280b2e0 100644 --- a/rules/google-workspace/google_workspace_policy_modified.toml +++ b/rules/google-workspace/google_workspace_policy_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/google-workspace/mfa_disabled_for_google_workspace_organization.toml b/rules/google-workspace/mfa_disabled_for_google_workspace_organization.toml index 11f4db55d..361857dd7 100644 --- a/rules/google-workspace/mfa_disabled_for_google_workspace_organization.toml +++ b/rules/google-workspace/mfa_disabled_for_google_workspace_organization.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/google-workspace/persistence_google_workspace_admin_role_assigned_to_user.toml b/rules/google-workspace/persistence_google_workspace_admin_role_assigned_to_user.toml index fb0058b14..e9ed12fdc 100644 --- a/rules/google-workspace/persistence_google_workspace_admin_role_assigned_to_user.toml +++ b/rules/google-workspace/persistence_google_workspace_admin_role_assigned_to_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/google-workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml b/rules/google-workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml index 6b4560661..7833e15d0 100644 --- a/rules/google-workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml +++ b/rules/google-workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/12" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/google-workspace/persistence_google_workspace_custom_admin_role_created.toml b/rules/google-workspace/persistence_google_workspace_custom_admin_role_created.toml index 2257b0ee5..35f937b5a 100644 --- a/rules/google-workspace/persistence_google_workspace_custom_admin_role_created.toml +++ b/rules/google-workspace/persistence_google_workspace_custom_admin_role_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/google-workspace/persistence_google_workspace_role_modified.toml b/rules/google-workspace/persistence_google_workspace_role_modified.toml index 96045aff6..2799f51b4 100644 --- a/rules/google-workspace/persistence_google_workspace_role_modified.toml +++ b/rules/google-workspace/persistence_google_workspace_role_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/linux/credential_access_tcpdump_activity.toml b/rules/linux/credential_access_tcpdump_activity.toml index 6b461ca7d..849e77412 100644 --- a/rules/linux/credential_access_tcpdump_activity.toml +++ b/rules/linux/credential_access_tcpdump_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml index 3902e29a6..3c9ff0c9d 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/24" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index 311b63273..8db4eb600 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/27" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml index 1e9e0f7b0..649422604 100644 --- a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/17" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml index 014c135af..0c582b4b3 100644 --- a/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/17" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml b/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml index c2e0941f4..fbce5a56e 100644 --- a/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml +++ b/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/04" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml index bdeb5f635..ee9317630 100644 --- a/rules/linux/defense_evasion_disable_selinux_attempt.toml +++ b/rules/linux/defense_evasion_disable_selinux_attempt.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/22" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index dead475a6..bf92a747d 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/27" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml index 738bcbc65..c98935283 100644 --- a/rules/linux/defense_evasion_file_mod_writable_dir.toml +++ b/rules/linux/defense_evasion_file_mod_writable_dir.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/21" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml index 2c14a911f..eb15faa32 100644 --- a/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/17" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index 2bd341243..f4511a806 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/29" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml index 7d781bb60..779693daf 100644 --- a/rules/linux/defense_evasion_kernel_module_removal.toml +++ b/rules/linux/defense_evasion_kernel_module_removal.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/24" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_log_files_deleted.toml b/rules/linux/defense_evasion_log_files_deleted.toml index db3416160..2d655265e 100644 --- a/rules/linux/defense_evasion_log_files_deleted.toml +++ b/rules/linux/defense_evasion_log_files_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_timestomp_touch.toml b/rules/linux/defense_evasion_timestomp_touch.toml index 8090a80a0..e4e347816 100644 --- a/rules/linux/defense_evasion_timestomp_touch.toml +++ b/rules/linux/defense_evasion_timestomp_touch.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index 22dbfb11c..5ca7bea94 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/23" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/linux/discovery_virtual_machine_fingerprinting.toml b/rules/linux/discovery_virtual_machine_fingerprinting.toml index 5abada792..dc447b0ca 100644 --- a/rules/linux/discovery_virtual_machine_fingerprinting.toml +++ b/rules/linux/discovery_virtual_machine_fingerprinting.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/27" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/linux/discovery_whoami_commmand.toml b/rules/linux/discovery_whoami_commmand.toml index f5486c3f9..ff2d9ab2d 100644 --- a/rules/linux/discovery_whoami_commmand.toml +++ b/rules/linux/discovery_whoami_commmand.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/linux/execution_perl_tty_shell.toml b/rules/linux/execution_perl_tty_shell.toml index 83dc5641a..9d3516c5a 100644 --- a/rules/linux/execution_perl_tty_shell.toml +++ b/rules/linux/execution_perl_tty_shell.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/16" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index 15db2e736..ba16bcb0e 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/15" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/linux/linux_hping_activity.toml b/rules/linux/linux_hping_activity.toml index b0170f9f4..456cc65eb 100644 --- a/rules/linux/linux_hping_activity.toml +++ b/rules/linux/linux_hping_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/linux/linux_iodine_activity.toml b/rules/linux/linux_iodine_activity.toml index 1995a668b..f4a4639fe 100644 --- a/rules/linux/linux_iodine_activity.toml +++ b/rules/linux/linux_iodine_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/linux/linux_mknod_activity.toml b/rules/linux/linux_mknod_activity.toml index 60470c726..048758f4b 100644 --- a/rules/linux/linux_mknod_activity.toml +++ b/rules/linux/linux_mknod_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/linux/linux_nmap_activity.toml b/rules/linux/linux_nmap_activity.toml index cd46127a8..e52019b8c 100644 --- a/rules/linux/linux_nmap_activity.toml +++ b/rules/linux/linux_nmap_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/linux/linux_nping_activity.toml b/rules/linux/linux_nping_activity.toml index 9422ec52d..a1e6ac148 100644 --- a/rules/linux/linux_nping_activity.toml +++ b/rules/linux/linux_nping_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/linux/linux_process_started_in_temp_directory.toml b/rules/linux/linux_process_started_in_temp_directory.toml index 815b85582..6e2aac593 100644 --- a/rules/linux/linux_process_started_in_temp_directory.toml +++ b/rules/linux/linux_process_started_in_temp_directory.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/linux/linux_socat_activity.toml b/rules/linux/linux_socat_activity.toml index 67f9cab55..71a024ac6 100644 --- a/rules/linux/linux_socat_activity.toml +++ b/rules/linux/linux_socat_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/linux/linux_strace_activity.toml b/rules/linux/linux_strace_activity.toml index ca21b8d3d..80afb10b0 100644 --- a/rules/linux/linux_strace_activity.toml +++ b/rules/linux/linux_strace_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/linux/persistence_kernel_module_activity.toml b/rules/linux/persistence_kernel_module_activity.toml index 02b52f082..1e7dcb1fc 100644 --- a/rules/linux/persistence_kernel_module_activity.toml +++ b/rules/linux/persistence_kernel_module_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/linux/persistence_shell_activity_by_web_server.toml b/rules/linux/persistence_shell_activity_by_web_server.toml index 419ae6e7d..28efd1873 100644 --- a/rules/linux/persistence_shell_activity_by_web_server.toml +++ b/rules/linux/persistence_shell_activity_by_web_server.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml b/rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml index edd66ce6a..75a3544c7 100644 --- a/rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml +++ b/rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/23" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml b/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml index 722d8144d..a8de6d458 100644 --- a/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml +++ b/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/23" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/linux/privilege_escalation_sudoers_file_mod.toml b/rules/linux/privilege_escalation_sudoers_file_mod.toml index 59f403671..0e8d1e731 100644 --- a/rules/linux/privilege_escalation_sudoers_file_mod.toml +++ b/rules/linux/privilege_escalation_sudoers_file_mod.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/13" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_compress_credentials_keychains.toml b/rules/macos/credential_access_compress_credentials_keychains.toml index 7cca07faf..eb9ca8b92 100644 --- a/rules/macos/credential_access_compress_credentials_keychains.toml +++ b/rules/macos/credential_access_compress_credentials_keychains.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_kerberosdump_kcc.toml b/rules/macos/credential_access_kerberosdump_kcc.toml index 47f92c950..5c7959c5a 100644 --- a/rules/macos/credential_access_kerberosdump_kcc.toml +++ b/rules/macos/credential_access_kerberosdump_kcc.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml index af140f60c..eaaee552f 100644 --- a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml +++ b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/16" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml index dbe16bcb3..c1aa7fd86 100644 --- a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml +++ b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml index e7615c656..01743136b 100644 --- a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml +++ b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_login_logout_hooks_defaults.toml b/rules/macos/persistence_login_logout_hooks_defaults.toml index 772bd8cc2..c81d3030c 100644 --- a/rules/macos/persistence_login_logout_hooks_defaults.toml +++ b/rules/macos/persistence_login_logout_hooks_defaults.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/07" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml b/rules/microsoft-365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml index c00e4507b..4b53ebc2c 100644 --- a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml +++ b/rules/microsoft-365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/20" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml b/rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml index 586718edb..beaf581eb 100644 --- a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml +++ b/rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml b/rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml index 84d3d6d87..e8c5666d7 100644 --- a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml +++ b/rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml b/rules/microsoft-365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml index 6b3e81f32..09b0643ae 100644 --- a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml +++ b/rules/microsoft-365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml b/rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml index af71dc9e2..5cbfe769c 100644 --- a/rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml +++ b/rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml b/rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml index 48f9b2197..d504712cc 100644 --- a/rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml +++ b/rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml b/rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml index 067f7f177..95eafc5a2 100644 --- a/rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml +++ b/rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml b/rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml index 70d2ba1a4..86237efb5 100644 --- a/rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml +++ b/rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/microsoft-365/initial_access_microsoft_365_exchange_safelinks_disabled.toml b/rules/microsoft-365/initial_access_microsoft_365_exchange_safelinks_disabled.toml index 69bcc5c66..7a4cac33f 100644 --- a/rules/microsoft-365/initial_access_microsoft_365_exchange_safelinks_disabled.toml +++ b/rules/microsoft-365/initial_access_microsoft_365_exchange_safelinks_disabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/microsoft-365/microsoft_365_exchange_dkim_signing_config_disabled.toml b/rules/microsoft-365/microsoft_365_exchange_dkim_signing_config_disabled.toml index 77f1efe08..d05a7aec3 100644 --- a/rules/microsoft-365/microsoft_365_exchange_dkim_signing_config_disabled.toml +++ b/rules/microsoft-365/microsoft_365_exchange_dkim_signing_config_disabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/microsoft-365/microsoft_365_teams_custom_app_interaction_allowed.toml b/rules/microsoft-365/microsoft_365_teams_custom_app_interaction_allowed.toml index 90302e2ae..6fe2b6ac7 100644 --- a/rules/microsoft-365/microsoft_365_teams_custom_app_interaction_allowed.toml +++ b/rules/microsoft-365/microsoft_365_teams_custom_app_interaction_allowed.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/30" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/microsoft-365/persistence_microsoft_365_exchange_management_role_assignment.toml b/rules/microsoft-365/persistence_microsoft_365_exchange_management_role_assignment.toml index e50031fbd..4a4ef5219 100644 --- a/rules/microsoft-365/persistence_microsoft_365_exchange_management_role_assignment.toml +++ b/rules/microsoft-365/persistence_microsoft_365_exchange_management_role_assignment.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/20" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/microsoft-365/persistence_microsoft_365_teams_external_access_enabled.toml b/rules/microsoft-365/persistence_microsoft_365_teams_external_access_enabled.toml index 75292ac16..0478e3229 100644 --- a/rules/microsoft-365/persistence_microsoft_365_teams_external_access_enabled.toml +++ b/rules/microsoft-365/persistence_microsoft_365_teams_external_access_enabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/30" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/microsoft-365/persistence_microsoft_365_teams_guest_access_enabled.toml b/rules/microsoft-365/persistence_microsoft_365_teams_guest_access_enabled.toml index b0ebbda76..b9fa25921 100644 --- a/rules/microsoft-365/persistence_microsoft_365_teams_guest_access_enabled.toml +++ b/rules/microsoft-365/persistence_microsoft_365_teams_guest_access_enabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/20" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_cobalt_strike_beacon.toml b/rules/network/command_and_control_cobalt_strike_beacon.toml index cc326424f..5ac3a029e 100644 --- a/rules/network/command_and_control_cobalt_strike_beacon.toml +++ b/rules/network/command_and_control_cobalt_strike_beacon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml index d4615945c..d27f23971 100644 --- a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml +++ b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/05" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_dns_directly_to_the_internet.toml b/rules/network/command_and_control_dns_directly_to_the_internet.toml index 506915faf..da3c6527b 100644 --- a/rules/network/command_and_control_dns_directly_to_the_internet.toml +++ b/rules/network/command_and_control_dns_directly_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_download_rar_powershell_from_internet.toml b/rules/network/command_and_control_download_rar_powershell_from_internet.toml index 3730ea4a9..2036e1f54 100644 --- a/rules/network/command_and_control_download_rar_powershell_from_internet.toml +++ b/rules/network/command_and_control_download_rar_powershell_from_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/02" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_fin7_c2_behavior.toml b/rules/network/command_and_control_fin7_c2_behavior.toml index e5755fe1a..93a8be9c1 100644 --- a/rules/network/command_and_control_fin7_c2_behavior.toml +++ b/rules/network/command_and_control_fin7_c2_behavior.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml b/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml index 462d73d0c..01031aafa 100644 --- a/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml +++ b/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_halfbaked_beacon.toml b/rules/network/command_and_control_halfbaked_beacon.toml index 93698877d..582a6c300 100644 --- a/rules/network/command_and_control_halfbaked_beacon.toml +++ b/rules/network/command_and_control_halfbaked_beacon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml b/rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml index 52899966d..51ad5dd05 100644 --- a/rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml +++ b/rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_nat_traversal_port_activity.toml b/rules/network/command_and_control_nat_traversal_port_activity.toml index d230acc88..9a4b82577 100644 --- a/rules/network/command_and_control_nat_traversal_port_activity.toml +++ b/rules/network/command_and_control_nat_traversal_port_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_port_26_activity.toml b/rules/network/command_and_control_port_26_activity.toml index d6d6312d7..809addd84 100644 --- a/rules/network/command_and_control_port_26_activity.toml +++ b/rules/network/command_and_control_port_26_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_port_8000_activity_to_the_internet.toml b/rules/network/command_and_control_port_8000_activity_to_the_internet.toml index 900750178..5c2feb1c9 100644 --- a/rules/network/command_and_control_port_8000_activity_to_the_internet.toml +++ b/rules/network/command_and_control_port_8000_activity_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml b/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml index 1c66532f6..c0132a80b 100644 --- a/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml +++ b/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml b/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml index 75811cf4f..77b5dbe62 100644 --- a/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml +++ b/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml index 8fd2456a8..a019bbb56 100644 --- a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml +++ b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_smtp_to_the_internet.toml b/rules/network/command_and_control_smtp_to_the_internet.toml index b2081d102..a965bd378 100644 --- a/rules/network/command_and_control_smtp_to_the_internet.toml +++ b/rules/network/command_and_control_smtp_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml b/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml index bf3232c82..e5c1877af 100644 --- a/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml +++ b/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml b/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml index 71672b4b7..837bd94cf 100644 --- a/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml +++ b/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml b/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml index 6e289dc34..a8764cae2 100644 --- a/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml +++ b/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_telnet_port_activity.toml b/rules/network/command_and_control_telnet_port_activity.toml index c4d7bb141..4c7c4ec73 100644 --- a/rules/network/command_and_control_telnet_port_activity.toml +++ b/rules/network/command_and_control_telnet_port_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_tor_activity_to_the_internet.toml b/rules/network/command_and_control_tor_activity_to_the_internet.toml index 4ac07e465..af716f030 100644 --- a/rules/network/command_and_control_tor_activity_to_the_internet.toml +++ b/rules/network/command_and_control_tor_activity_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml index 0acce6226..7a5de5d23 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml index 7cb03569c..aa83ab10c 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/network/discovery_post_exploitation_public_ip_reconnaissance.toml b/rules/network/discovery_post_exploitation_public_ip_reconnaissance.toml index d809ceacb..982fe1863 100644 --- a/rules/network/discovery_post_exploitation_public_ip_reconnaissance.toml +++ b/rules/network/discovery_post_exploitation_public_ip_reconnaissance.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/04" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml b/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml index 6e7fa293c..560d49396 100644 --- a/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml +++ b/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml index cdb65043a..f10e861cb 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml index 26b639d0f..7dab0942f 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml index ecda216a7..958aa350a 100644 --- a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml +++ b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/network/initial_access_unsecure_elasticsearch_node.toml b/rules/network/initial_access_unsecure_elasticsearch_node.toml index 6565d4225..dec1290f9 100644 --- a/rules/network/initial_access_unsecure_elasticsearch_node.toml +++ b/rules/network/initial_access_unsecure_elasticsearch_node.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/11" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/okta/attempt_to_deactivate_okta_network_zone.toml b/rules/okta/attempt_to_deactivate_okta_network_zone.toml index 8ca18bfad..3f340e3ad 100644 --- a/rules/okta/attempt_to_deactivate_okta_network_zone.toml +++ b/rules/okta/attempt_to_deactivate_okta_network_zone.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/okta/attempt_to_delete_okta_network_zone.toml b/rules/okta/attempt_to_delete_okta_network_zone.toml index 94d4e4737..f23a34471 100644 --- a/rules/okta/attempt_to_delete_okta_network_zone.toml +++ b/rules/okta/attempt_to_delete_okta_network_zone.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml index 754d13c30..a92f495ca 100644 --- a/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml +++ b/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/okta/impact_attempt_to_revoke_okta_api_token.toml b/rules/okta/impact_attempt_to_revoke_okta_api_token.toml index 5922d0322..dbb036655 100644 --- a/rules/okta/impact_attempt_to_revoke_okta_api_token.toml +++ b/rules/okta/impact_attempt_to_revoke_okta_api_token.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/okta/impact_possible_okta_dos_attack.toml b/rules/okta/impact_possible_okta_dos_attack.toml index b126b11a0..b96161cb5 100644 --- a/rules/okta/impact_possible_okta_dos_attack.toml +++ b/rules/okta/impact_possible_okta_dos_attack.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml b/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml index f7b146d3b..7fdb055fb 100644 --- a/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml +++ b/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/okta/okta_attempt_to_deactivate_okta_application.toml b/rules/okta/okta_attempt_to_deactivate_okta_application.toml index b4ea6e211..7a0e35e32 100644 --- a/rules/okta/okta_attempt_to_deactivate_okta_application.toml +++ b/rules/okta/okta_attempt_to_deactivate_okta_application.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/okta/okta_attempt_to_deactivate_okta_policy.toml b/rules/okta/okta_attempt_to_deactivate_okta_policy.toml index d972f30b7..37a76d8f8 100644 --- a/rules/okta/okta_attempt_to_deactivate_okta_policy.toml +++ b/rules/okta/okta_attempt_to_deactivate_okta_policy.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/okta/okta_attempt_to_deactivate_okta_policy_rule.toml b/rules/okta/okta_attempt_to_deactivate_okta_policy_rule.toml index a3b70e11d..7077082fb 100644 --- a/rules/okta/okta_attempt_to_deactivate_okta_policy_rule.toml +++ b/rules/okta/okta_attempt_to_deactivate_okta_policy_rule.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/okta/okta_attempt_to_delete_okta_application.toml b/rules/okta/okta_attempt_to_delete_okta_application.toml index 6af673dea..4cbc57015 100644 --- a/rules/okta/okta_attempt_to_delete_okta_application.toml +++ b/rules/okta/okta_attempt_to_delete_okta_application.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/okta/okta_attempt_to_delete_okta_policy.toml b/rules/okta/okta_attempt_to_delete_okta_policy.toml index e1e89d52f..16d343e80 100644 --- a/rules/okta/okta_attempt_to_delete_okta_policy.toml +++ b/rules/okta/okta_attempt_to_delete_okta_policy.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/28" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/okta/okta_attempt_to_delete_okta_policy_rule.toml b/rules/okta/okta_attempt_to_delete_okta_policy_rule.toml index 5ff8b26f3..c40b33153 100644 --- a/rules/okta/okta_attempt_to_delete_okta_policy_rule.toml +++ b/rules/okta/okta_attempt_to_delete_okta_policy_rule.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/okta/okta_attempt_to_modify_okta_application.toml b/rules/okta/okta_attempt_to_modify_okta_application.toml index b63b44d7f..e7d70d0d6 100644 --- a/rules/okta/okta_attempt_to_modify_okta_application.toml +++ b/rules/okta/okta_attempt_to_modify_okta_application.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/okta/okta_attempt_to_modify_okta_network_zone.toml b/rules/okta/okta_attempt_to_modify_okta_network_zone.toml index b2406c88d..dcc290ac6 100644 --- a/rules/okta/okta_attempt_to_modify_okta_network_zone.toml +++ b/rules/okta/okta_attempt_to_modify_okta_network_zone.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/okta/okta_attempt_to_modify_okta_policy.toml b/rules/okta/okta_attempt_to_modify_okta_policy.toml index 51a1cfd37..ec4de2633 100644 --- a/rules/okta/okta_attempt_to_modify_okta_policy.toml +++ b/rules/okta/okta_attempt_to_modify_okta_policy.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/okta/okta_attempt_to_modify_okta_policy_rule.toml b/rules/okta/okta_attempt_to_modify_okta_policy_rule.toml index 88ca6b66a..b021a3017 100644 --- a/rules/okta/okta_attempt_to_modify_okta_policy_rule.toml +++ b/rules/okta/okta_attempt_to_modify_okta_policy_rule.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml index e541a1e35..21e0b1175 100644 --- a/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml +++ b/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/01" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/okta/okta_threat_detected_by_okta_threatinsight.toml b/rules/okta/okta_threat_detected_by_okta_threatinsight.toml index 79fe30aa3..c1def11a9 100644 --- a/rules/okta/okta_threat_detected_by_okta_threatinsight.toml +++ b/rules/okta/okta_threat_detected_by_okta_threatinsight.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml b/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml index 76109660c..1438589a6 100644 --- a/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml +++ b/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/okta/persistence_administrator_role_assigned_to_okta_user.toml b/rules/okta/persistence_administrator_role_assigned_to_okta_user.toml index cd489e8d3..7ab0cbd18 100644 --- a/rules/okta/persistence_administrator_role_assigned_to_okta_user.toml +++ b/rules/okta/persistence_administrator_role_assigned_to_okta_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/okta/persistence_attempt_to_create_okta_api_token.toml b/rules/okta/persistence_attempt_to_create_okta_api_token.toml index 58e9ef527..0281e48dd 100644 --- a/rules/okta/persistence_attempt_to_create_okta_api_token.toml +++ b/rules/okta/persistence_attempt_to_create_okta_api_token.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml b/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml index 96b49624c..fcb965d07 100644 --- a/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml +++ b/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/20" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml b/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml index 4d61ee298..d3f397ea6 100644 --- a/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml +++ b/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/promotions/elastic_endpoint.toml b/rules/promotions/elastic_endpoint.toml index 282d49eb5..d70082281 100644 --- a/rules/promotions/elastic_endpoint.toml +++ b/rules/promotions/elastic_endpoint.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/08" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/promotions/endpoint_adversary_behavior_detected.toml b/rules/promotions/endpoint_adversary_behavior_detected.toml index 1f1f0b4ea..02bdfd479 100644 --- a/rules/promotions/endpoint_adversary_behavior_detected.toml +++ b/rules/promotions/endpoint_adversary_behavior_detected.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] @@ -19,7 +19,6 @@ risk_score = 47 rule_id = "77a3c3df-8ec4-4da4-b758-878f551dee69" severity = "medium" tags = ["Elastic", "Endpoint Security"] -timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/promotions/endpoint_cred_dumping_detected.toml b/rules/promotions/endpoint_cred_dumping_detected.toml index 80de70373..387846c01 100644 --- a/rules/promotions/endpoint_cred_dumping_detected.toml +++ b/rules/promotions/endpoint_cred_dumping_detected.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] @@ -19,7 +19,6 @@ risk_score = 73 rule_id = "571afc56-5ed9-465d-a2a9-045f099f6e7e" severity = "high" tags = ["Elastic", "Endpoint Security"] -timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/promotions/endpoint_cred_dumping_prevented.toml b/rules/promotions/endpoint_cred_dumping_prevented.toml index 6cd02c94e..2e88be52c 100644 --- a/rules/promotions/endpoint_cred_dumping_prevented.toml +++ b/rules/promotions/endpoint_cred_dumping_prevented.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] @@ -19,7 +19,6 @@ risk_score = 47 rule_id = "db8c33a8-03cd-4988-9e2c-d0a4863adb13" severity = "medium" tags = ["Elastic", "Endpoint Security"] -timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/promotions/endpoint_cred_manipulation_detected.toml b/rules/promotions/endpoint_cred_manipulation_detected.toml index 7ae86453d..45cd5d2f6 100644 --- a/rules/promotions/endpoint_cred_manipulation_detected.toml +++ b/rules/promotions/endpoint_cred_manipulation_detected.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] @@ -19,7 +19,6 @@ risk_score = 73 rule_id = "c0be5f31-e180-48ed-aa08-96b36899d48f" severity = "high" tags = ["Elastic", "Endpoint Security"] -timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/promotions/endpoint_cred_manipulation_prevented.toml b/rules/promotions/endpoint_cred_manipulation_prevented.toml index d95623a81..a2fbe0f02 100644 --- a/rules/promotions/endpoint_cred_manipulation_prevented.toml +++ b/rules/promotions/endpoint_cred_manipulation_prevented.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] @@ -19,7 +19,6 @@ risk_score = 47 rule_id = "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa" severity = "medium" tags = ["Elastic", "Endpoint Security"] -timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/promotions/endpoint_exploit_detected.toml b/rules/promotions/endpoint_exploit_detected.toml index ec78c1c59..4a8fb3521 100644 --- a/rules/promotions/endpoint_exploit_detected.toml +++ b/rules/promotions/endpoint_exploit_detected.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] @@ -19,7 +19,6 @@ risk_score = 73 rule_id = "2003cdc8-8d83-4aa5-b132-1f9a8eb48514" severity = "high" tags = ["Elastic", "Endpoint Security"] -timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/promotions/endpoint_exploit_prevented.toml b/rules/promotions/endpoint_exploit_prevented.toml index cc1d03718..8db8a7636 100644 --- a/rules/promotions/endpoint_exploit_prevented.toml +++ b/rules/promotions/endpoint_exploit_prevented.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] @@ -19,7 +19,6 @@ risk_score = 47 rule_id = "2863ffeb-bf77-44dd-b7a5-93ef94b72036" severity = "medium" tags = ["Elastic", "Endpoint Security"] -timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/promotions/endpoint_malware_detected.toml b/rules/promotions/endpoint_malware_detected.toml index 82d84fe41..09aa8feec 100644 --- a/rules/promotions/endpoint_malware_detected.toml +++ b/rules/promotions/endpoint_malware_detected.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] @@ -19,7 +19,6 @@ risk_score = 99 rule_id = "0a97b20f-4144-49ea-be32-b540ecc445de" severity = "critical" tags = ["Elastic", "Endpoint Security"] -timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/promotions/endpoint_malware_prevented.toml b/rules/promotions/endpoint_malware_prevented.toml index 0f771bf01..f879b6b5f 100644 --- a/rules/promotions/endpoint_malware_prevented.toml +++ b/rules/promotions/endpoint_malware_prevented.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] @@ -19,7 +19,6 @@ risk_score = 73 rule_id = "3b382770-efbb-44f4-beed-f5e0a051b895" severity = "high" tags = ["Elastic", "Endpoint Security"] -timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/promotions/endpoint_permission_theft_detected.toml b/rules/promotions/endpoint_permission_theft_detected.toml index 88cf19d04..6e0de9d69 100644 --- a/rules/promotions/endpoint_permission_theft_detected.toml +++ b/rules/promotions/endpoint_permission_theft_detected.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] @@ -19,7 +19,6 @@ risk_score = 73 rule_id = "c3167e1b-f73c-41be-b60b-87f4df707fe3" severity = "high" tags = ["Elastic", "Endpoint Security"] -timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/promotions/endpoint_permission_theft_prevented.toml b/rules/promotions/endpoint_permission_theft_prevented.toml index 32a81c026..ddbd069f5 100644 --- a/rules/promotions/endpoint_permission_theft_prevented.toml +++ b/rules/promotions/endpoint_permission_theft_prevented.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] @@ -19,7 +19,6 @@ risk_score = 47 rule_id = "453f659e-0429-40b1-bfdb-b6957286e04b" severity = "medium" tags = ["Elastic", "Endpoint Security"] -timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/promotions/endpoint_process_injection_detected.toml b/rules/promotions/endpoint_process_injection_detected.toml index cf7a8440f..df8336bbc 100644 --- a/rules/promotions/endpoint_process_injection_detected.toml +++ b/rules/promotions/endpoint_process_injection_detected.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] @@ -19,7 +19,6 @@ risk_score = 73 rule_id = "80c52164-c82a-402c-9964-852533d58be1" severity = "high" tags = ["Elastic", "Endpoint Security"] -timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/promotions/endpoint_process_injection_prevented.toml b/rules/promotions/endpoint_process_injection_prevented.toml index f638235d0..5d13e9090 100644 --- a/rules/promotions/endpoint_process_injection_prevented.toml +++ b/rules/promotions/endpoint_process_injection_prevented.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] @@ -19,7 +19,6 @@ risk_score = 47 rule_id = "990838aa-a953-4f3e-b3cb-6ddf7584de9e" severity = "medium" tags = ["Elastic", "Endpoint Security"] -timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/promotions/endpoint_ransomware_detected.toml b/rules/promotions/endpoint_ransomware_detected.toml index 3744b297c..22d2f0889 100644 --- a/rules/promotions/endpoint_ransomware_detected.toml +++ b/rules/promotions/endpoint_ransomware_detected.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] @@ -19,7 +19,6 @@ risk_score = 99 rule_id = "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd" severity = "critical" tags = ["Elastic", "Endpoint Security"] -timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/promotions/endpoint_ransomware_prevented.toml b/rules/promotions/endpoint_ransomware_prevented.toml index fd7e39735..6210f58d1 100644 --- a/rules/promotions/endpoint_ransomware_prevented.toml +++ b/rules/promotions/endpoint_ransomware_prevented.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] @@ -19,7 +19,6 @@ risk_score = 73 rule_id = "e3c5d5cb-41d5-4206-805c-f30561eae3ac" severity = "high" tags = ["Elastic", "Endpoint Security"] -timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/promotions/external_alerts.toml b/rules/promotions/external_alerts.toml index 5ee1d09ae..d3468f6df 100644 --- a/rules/promotions/external_alerts.toml +++ b/rules/promotions/external_alerts.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/08" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index 31c423388..a7d183139 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/15" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml index 1a7e44294..34346ab4f 100644 --- a/rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml +++ b/rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/15" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index fa26f0c18..fe9058af5 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index e031a5d1a..40cbca034 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/04" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml index 610b5b595..05fc77907 100644 --- a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml +++ b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/04" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index 6eb1fd2b5..8a8569965 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index e6621f467..84383c79f 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml index 792c1edb1..70c6e35f9 100644 --- a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml +++ b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index f8d307ecb..20e191487 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml index ee47e728c..0575d2c79 100644 --- a/rules/windows/credential_access_cmdline_dump_tool.toml +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/24" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index caf77fca3..01d67fb32 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/24" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml index 9298175ea..0fe5485c3 100755 --- a/rules/windows/credential_access_credential_dumping_msbuild.toml +++ b/rules/windows/credential_access_credential_dumping_msbuild.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index 22f7556a7..8f154d611 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/13" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_dump_registry_hives.toml b/rules/windows/credential_access_dump_registry_hives.toml index 4803f6b5c..7f28dea6b 100644 --- a/rules/windows/credential_access_dump_registry_hives.toml +++ b/rules/windows/credential_access_dump_registry_hives.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/23" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml index b6cde90f0..abe1650e8 100644 --- a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index 7bb36da2d..dcfb9571c 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_kerberoasting_unusual_process.toml b/rules/windows/credential_access_kerberoasting_unusual_process.toml index d37cb96be..103a8a5ea 100644 --- a/rules/windows/credential_access_kerberoasting_unusual_process.toml +++ b/rules/windows/credential_access_kerberoasting_unusual_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/02" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_lsass_memdump_file_created.toml b/rules/windows/credential_access_lsass_memdump_file_created.toml index 0ff5e27e4..2acd8b82a 100644 --- a/rules/windows/credential_access_lsass_memdump_file_created.toml +++ b/rules/windows/credential_access_lsass_memdump_file_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/24" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index 92b1073f8..39fe8e341 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/31" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_mimikatz_powershell_module.toml b/rules/windows/credential_access_mimikatz_powershell_module.toml index f2f926d65..a225252ed 100644 --- a/rules/windows/credential_access_mimikatz_powershell_module.toml +++ b/rules/windows/credential_access_mimikatz_powershell_module.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/07" maturity = "development" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index 4c3dd2cb0..9077987f5 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index 55bb9472c..2f90eeb38 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_code_injection_conhost.toml b/rules/windows/defense_evasion_code_injection_conhost.toml index f2eb20402..1178253a5 100644 --- a/rules/windows/defense_evasion_code_injection_conhost.toml +++ b/rules/windows/defense_evasion_code_injection_conhost.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/31" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_cve_2020_0601.toml b/rules/windows/defense_evasion_cve_2020_0601.toml index 7a3c14d61..b92404bb5 100644 --- a/rules/windows/defense_evasion_cve_2020_0601.toml +++ b/rules/windows/defense_evasion_cve_2020_0601.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/19" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml index 18b492ac9..26ed585e7 100644 --- a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml index 30eca01e7..0f8fb2a78 100644 --- a/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index c26ee2906..c0c95a88e 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index 71a60f827..70ae13691 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/21" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml index ca0083962..61394a8c5 100644 --- a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/13" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml b/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml index 6b108fce6..2eb32ecc9 100644 --- a/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml +++ b/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml index b64cc77ef..ea23b1916 100644 --- a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml +++ b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/13" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index 37e00af98..6ba9be9cb 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index ae4376775..812e39838 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index 6c47ff2fb..dbf6e07d7 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index 525ca2a56..712d44c41 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index c2eb1a96b..ed1c02aef 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml index a956f4025..caaab3f83 100644 --- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml b/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml index 4c3d4909f..067981430 100644 --- a/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml +++ b/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml index 1fdc06cff..20b35f3f3 100644 --- a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml +++ b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/25" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index 4a39498d1..dca895f1a 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/14" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_injection_msbuild.toml b/rules/windows/defense_evasion_injection_msbuild.toml index 129affe94..0a556c8df 100755 --- a/rules/windows/defense_evasion_injection_msbuild.toml +++ b/rules/windows/defense_evasion_injection_msbuild.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index c61df87fd..13a2c3802 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/24" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index d8323088b..7a66ab079 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml index 1a65d3366..c905270ec 100644 --- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/24" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index fefdf7b54..9ec435f03 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_modification_of_boot_config.toml b/rules/windows/defense_evasion_modification_of_boot_config.toml index 05c7e5a4e..c1195090e 100644 --- a/rules/windows/defense_evasion_modification_of_boot_config.toml +++ b/rules/windows/defense_evasion_modification_of_boot_config.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/16" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_port_forwarding_added_registry.toml b/rules/windows/defense_evasion_port_forwarding_added_registry.toml index ffbcda7cc..47b1ba68f 100644 --- a/rules/windows/defense_evasion_port_forwarding_added_registry.toml +++ b/rules/windows/defense_evasion_port_forwarding_added_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/25" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml index 6c7f159ba..593408124 100644 --- a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml +++ b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/23" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index d492f2451..3b02bc34c 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml index 5723ce2fc..290756e90 100644 --- a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml index 269de880e..43da36299 100644 --- a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml +++ b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/21" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index 6a68a52e4..5c9594343 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index 1bce431b3..bd5d37d82 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/19" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_unusual_dir_ads.toml b/rules/windows/defense_evasion_unusual_dir_ads.toml index 9e17dca80..c15c2d2cb 100644 --- a/rules/windows/defense_evasion_unusual_dir_ads.toml +++ b/rules/windows/defense_evasion_unusual_dir_ads.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml index 1c0a4810d..922a0b9b9 100644 --- a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml +++ b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/19" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml index 526de67a7..786c61868 100644 --- a/rules/windows/defense_evasion_via_filter_manager.toml +++ b/rules/windows/defense_evasion_via_filter_manager.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml index e0dd3094b..46349fa4c 100644 --- a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index b392e7cab..d21ff258c 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index e00ee2022..e2281b6b7 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_file_dir_discovery.toml b/rules/windows/discovery_file_dir_discovery.toml index 83e28822d..8a957116c 100644 --- a/rules/windows/discovery_file_dir_discovery.toml +++ b/rules/windows/discovery_file_dir_discovery.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_net_command_system_account.toml b/rules/windows/discovery_net_command_system_account.toml index 9843967ed..4019583d3 100644 --- a/rules/windows/discovery_net_command_system_account.toml +++ b/rules/windows/discovery_net_command_system_account.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_net_view.toml b/rules/windows/discovery_net_view.toml index e395e66f9..0352a7cfd 100644 --- a/rules/windows/discovery_net_view.toml +++ b/rules/windows/discovery_net_view.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_peripheral_device.toml b/rules/windows/discovery_peripheral_device.toml index 25b950442..9ec66be19 100644 --- a/rules/windows/discovery_peripheral_device.toml +++ b/rules/windows/discovery_peripheral_device.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/02" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_process_discovery_via_tasklist_command.toml b/rules/windows/discovery_process_discovery_via_tasklist_command.toml index 921d0672c..6ab19ea88 100644 --- a/rules/windows/discovery_process_discovery_via_tasklist_command.toml +++ b/rules/windows/discovery_process_discovery_via_tasklist_command.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_query_registry_via_reg.toml b/rules/windows/discovery_query_registry_via_reg.toml index d34f20d90..31c33e802 100644 --- a/rules/windows/discovery_query_registry_via_reg.toml +++ b/rules/windows/discovery_query_registry_via_reg.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_remote_system_discovery_commands_windows.toml b/rules/windows/discovery_remote_system_discovery_commands_windows.toml index c92eb372f..0f2ad0e8b 100644 --- a/rules/windows/discovery_remote_system_discovery_commands_windows.toml +++ b/rules/windows/discovery_remote_system_discovery_commands_windows.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_security_software_wmic.toml b/rules/windows/discovery_security_software_wmic.toml index 7e114bd0b..2e9ecca95 100644 --- a/rules/windows/discovery_security_software_wmic.toml +++ b/rules/windows/discovery_security_software_wmic.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index 0abc650d3..86efebe2d 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml index 1916f97bc..cb1426c54 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml index d93914c02..661ab2596 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_command_shell_started_by_powershell.toml b/rules/windows/execution_command_shell_started_by_powershell.toml index ba0c94b01..fe9e006f1 100644 --- a/rules/windows/execution_command_shell_started_by_powershell.toml +++ b/rules/windows/execution_command_shell_started_by_powershell.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index e8680e9b1..e6f1b79fb 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index a5ff83d06..b229b6b44 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/21" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_command_shell_via_rundll32.toml b/rules/windows/execution_command_shell_via_rundll32.toml index 66df5e147..ca87ccd07 100644 --- a/rules/windows/execution_command_shell_via_rundll32.toml +++ b/rules/windows/execution_command_shell_via_rundll32.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_from_unusual_directory.toml b/rules/windows/execution_from_unusual_directory.toml index dc1692ec2..b29d957c0 100644 --- a/rules/windows/execution_from_unusual_directory.toml +++ b/rules/windows/execution_from_unusual_directory.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/30" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index e31033c07..65152e865 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/30" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml index 8ffd5b077..6b92db3f6 100644 --- a/rules/windows/execution_shared_modules_local_sxs_dll.toml +++ b/rules/windows/execution_shared_modules_local_sxs_dll.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/28" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index ca8a232ae..5874046e6 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml index 174a5f197..0b5256102 100644 --- a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml +++ b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index dce31214c..24c99cfcc 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/30" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml index 2757eef75..6b2a695e0 100644 --- a/rules/windows/execution_suspicious_powershell_imgload.toml +++ b/rules/windows/execution_suspicious_powershell_imgload.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index deb907dc2..508bb1d14 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_suspicious_short_program_name.toml b/rules/windows/execution_suspicious_short_program_name.toml index 181315d28..9cc848c46 100644 --- a/rules/windows/execution_suspicious_short_program_name.toml +++ b/rules/windows/execution_suspicious_short_program_name.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/15" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index 53cab0098..772bcf1c1 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index 311d90439..b09b0a409 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_via_net_com_assemblies.toml b/rules/windows/execution_via_net_com_assemblies.toml index 61e050a72..a7a28b402 100644 --- a/rules/windows/execution_via_net_com_assemblies.toml +++ b/rules/windows/execution_via_net_com_assemblies.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml index 747f19a96..f3a949011 100644 --- a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_vssadmin.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_vssadmin.toml index 15a04f571..7b0aaa9ca 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_vssadmin.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_vssadmin.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index 8805654a3..a81687c71 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index c79d081a8..c0c415a42 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index 8465d1b44..5ab3ad385 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_unusual_dns_service_children.toml b/rules/windows/initial_access_unusual_dns_service_children.toml index b655d79bd..5851267e7 100644 --- a/rules/windows/initial_access_unusual_dns_service_children.toml +++ b/rules/windows/initial_access_unusual_dns_service_children.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_unusual_dns_service_file_writes.toml b/rules/windows/initial_access_unusual_dns_service_file_writes.toml index 4ffb4baf5..46ddf199b 100644 --- a/rules/windows/initial_access_unusual_dns_service_file_writes.toml +++ b/rules/windows/initial_access_unusual_dns_service_file_writes.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml index 0ccfff621..bec95c9c9 100644 --- a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml +++ b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/29" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_dns_server_overflow.toml b/rules/windows/lateral_movement_dns_server_overflow.toml index c445ff0b2..453a2da8c 100644 --- a/rules/windows/lateral_movement_dns_server_overflow.toml +++ b/rules/windows/lateral_movement_dns_server_overflow.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml index f39d2ddfb..7474e27aa 100644 --- a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml +++ b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/11" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_local_service_commands.toml b/rules/windows/lateral_movement_local_service_commands.toml index aaeda562b..7a595f1a3 100644 --- a/rules/windows/lateral_movement_local_service_commands.toml +++ b/rules/windows/lateral_movement_local_service_commands.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml index b620abdb3..206e07a61 100644 --- a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml +++ b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/02" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_rdp_enabled_registry.toml b/rules/windows/lateral_movement_rdp_enabled_registry.toml index ffb5d498b..85a79a3c9 100644 --- a/rules/windows/lateral_movement_rdp_enabled_registry.toml +++ b/rules/windows/lateral_movement_rdp_enabled_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/25" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_rdp_tunnel_plink.toml b/rules/windows/lateral_movement_rdp_tunnel_plink.toml index c72004e42..2763fe762 100644 --- a/rules/windows/lateral_movement_rdp_tunnel_plink.toml +++ b/rules/windows/lateral_movement_rdp_tunnel_plink.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/14" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index 5dc4bd9e4..6dce92dfb 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/04" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml index b5177ab59..bc8323780 100644 --- a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml +++ b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml index 76e4bb0bd..f8db43fe7 100644 --- a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml +++ b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index 9c2b595a2..7f950f2a4 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_appcertdlls_registry.toml b/rules/windows/persistence_appcertdlls_registry.toml index f5ebacc0d..d64f6a63c 100644 --- a/rules/windows/persistence_appcertdlls_registry.toml +++ b/rules/windows/persistence_appcertdlls_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_appinitdlls_registry.toml b/rules/windows/persistence_appinitdlls_registry.toml index ecd855881..297a97462 100644 --- a/rules/windows/persistence_appinitdlls_registry.toml +++ b/rules/windows/persistence_appinitdlls_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_evasion_registry_ifeo_injection.toml b/rules/windows/persistence_evasion_registry_ifeo_injection.toml index 7481e32b2..8637de1bd 100644 --- a/rules/windows/persistence_evasion_registry_ifeo_injection.toml +++ b/rules/windows/persistence_evasion_registry_ifeo_injection.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_gpo_schtask_service_creation.toml b/rules/windows/persistence_gpo_schtask_service_creation.toml index 223cce26b..c39d586fd 100644 --- a/rules/windows/persistence_gpo_schtask_service_creation.toml +++ b/rules/windows/persistence_gpo_schtask_service_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/13" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_local_scheduled_task_commands.toml b/rules/windows/persistence_local_scheduled_task_commands.toml index 4aebe3ab7..543d8a3de 100644 --- a/rules/windows/persistence_local_scheduled_task_commands.toml +++ b/rules/windows/persistence_local_scheduled_task_commands.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_ms_office_addins_file.toml b/rules/windows/persistence_ms_office_addins_file.toml index 727488204..ee8e81480 100644 --- a/rules/windows/persistence_ms_office_addins_file.toml +++ b/rules/windows/persistence_ms_office_addins_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/16" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_ms_outlook_vba_template.toml b/rules/windows/persistence_ms_outlook_vba_template.toml index 1ca0f0fff..913ab703d 100644 --- a/rules/windows/persistence_ms_outlook_vba_template.toml +++ b/rules/windows/persistence_ms_outlook_vba_template.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/23" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index c6cdb1298..7a9025f04 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml index 7644fc5d1..626cc64ae 100644 --- a/rules/windows/persistence_registry_uncommon.toml +++ b/rules/windows/persistence_registry_uncommon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_run_key_and_startup_broad.toml b/rules/windows/persistence_run_key_and_startup_broad.toml index 2ac12d2c3..582133244 100644 --- a/rules/windows/persistence_run_key_and_startup_broad.toml +++ b/rules/windows/persistence_run_key_and_startup_broad.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/persistence_services_registry.toml index 485c54525..31ea96df5 100644 --- a/rules/windows/persistence_services_registry.toml +++ b/rules/windows/persistence_services_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml index 151b23561..1fcf98444 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index cfd5da9cc..de10d27fb 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_suspicious_com_hijack_registry.toml b/rules/windows/persistence_suspicious_com_hijack_registry.toml index d29191a35..b1550982a 100644 --- a/rules/windows/persistence_suspicious_com_hijack_registry.toml +++ b/rules/windows/persistence_suspicious_com_hijack_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml index 892f665e7..1c18fef83 100644 --- a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml +++ b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml index 4cf25578d..5b96e95f2 100644 --- a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml +++ b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_suspicious_service_created_registry.toml b/rules/windows/persistence_suspicious_service_created_registry.toml index efc9d0896..2e01f5392 100644 --- a/rules/windows/persistence_suspicious_service_created_registry.toml +++ b/rules/windows/persistence_suspicious_service_created_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/23" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index 4b773f273..3c8a92268 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index 2f5bc1c0a..fe6960951 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index 455cc97c9..b2e54eec4 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_hidden_run_key_valuename.toml b/rules/windows/persistence_via_hidden_run_key_valuename.toml index 6604e0d58..543db7575 100644 --- a/rules/windows/persistence_via_hidden_run_key_valuename.toml +++ b/rules/windows/persistence_via_hidden_run_key_valuename.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/15" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml index 0efdd3391..ad008614d 100644 --- a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml +++ b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml index 0ce4fa623..b971fff67 100644 --- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index 8a6876efd..09cb796fb 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml index f721a8f94..09bad8242 100644 --- a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml +++ b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_named_pipe_impersonation.toml b/rules/windows/privilege_escalation_named_pipe_impersonation.toml index 82cc15149..7fa1807e7 100644 --- a/rules/windows/privilege_escalation_named_pipe_impersonation.toml +++ b/rules/windows/privilege_escalation_named_pipe_impersonation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/23" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml index c86e28d8e..accd84059 100644 --- a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml index 58fa550e3..16abef52c 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml index 64eb6fe77..68aa8b32b 100644 --- a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml +++ b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/26" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml index f61610e6f..651cd1b01 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/28" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml index 56b4a6a06..f8d09b17c 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml index d5fa7ea5f..a96657255 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index 30b8f9cee..4b71eb31e 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml index 0b23af5e8..ab6eac5a2 100644 --- a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml +++ b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/27" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index 41bbb858e..dffbc101a 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/17" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index 5aeb6109f..bc16727ce 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/26" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml index 4386679c7..1d7846d27 100644 --- a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/14" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index 02ef61571..ea6692fd1 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml index 9502c46d8..125e9dd7c 100644 --- a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml +++ b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/13" maturity = "production" -updated_date = "2020/02/16" +updated_date = "2021/02/16" [rule] author = ["Elastic"]