From 95908c22a4856e6f6ed5f66329945c3d83bf6d1e Mon Sep 17 00:00:00 2001 From: Justin Ibarra Date: Tue, 7 Jul 2020 13:43:33 -0500 Subject: [PATCH] Improve ECS compatibility for endpoint rules --- .../credential_access_tcpdump_activity.toml | 6 +++--- ...tempt_to_disable_iptables_or_firewall.toml | 15 ++++++++------- ...ion_attempt_to_disable_syslog_service.toml | 10 +++++++--- ..._base32_encoding_or_decoding_activity.toml | 7 ++++--- ..._base64_encoding_or_decoding_activity.toml | 7 ++++--- ...deletion_of_bash_command_line_history.toml | 7 ++++--- ...fense_evasion_disable_selinux_attempt.toml | 6 +++--- ...fense_evasion_file_deletion_via_shred.toml | 7 ++++--- ...defense_evasion_file_mod_writable_dir.toml | 9 ++++++--- ...ion_hex_encoding_or_decoding_activity.toml | 7 +++---- .../defense_evasion_hidden_file_dir_tmp.toml | 10 ++++++---- ...defense_evasion_kernel_module_removal.toml | 8 ++++---- .../discovery_kernel_module_enumeration.toml | 7 ++++--- ...covery_virtual_machine_fingerprinting.toml | 13 +++++++++---- rules/linux/discovery_whoami_commmand.toml | 6 +++--- rules/linux/execution_perl_tty_shell.toml | 7 ++++--- rules/linux/execution_python_tty_shell.toml | 9 ++++++--- ...ment_telnet_network_activity_external.toml | 8 +++++--- ...ment_telnet_network_activity_internal.toml | 9 ++++++--- rules/linux/linux_hping_activity.toml | 6 +++--- rules/linux/linux_iodine_activity.toml | 6 +++--- rules/linux/linux_mknod_activity.toml | 6 +++--- .../linux_netcat_network_connection.toml | 7 ++++--- rules/linux/linux_nmap_activity.toml | 6 +++--- rules/linux/linux_nping_activity.toml | 6 +++--- ...nux_process_started_in_temp_directory.toml | 6 +++--- rules/linux/linux_socat_activity.toml | 6 +++--- rules/linux/linux_strace_activity.toml | 6 +++--- .../persistence_kernel_module_activity.toml | 6 +++--- ...sistence_shell_activity_by_web_server.toml | 7 ++++--- ...e_escalation_setgid_bit_set_via_chmod.toml | 8 +++++--- ...e_escalation_setuid_bit_set_via_chmod.toml | 8 +++++--- ...privilege_escalation_sudoers_file_mod.toml | 6 +++--- ...d_control_certutil_network_connection.toml | 5 +++-- ...ial_access_credential_dumping_msbuild.toml | 8 +++++--- ...den_file_attribute_with_via_attribexe.toml | 6 +++--- ...e_evasion_clearing_windows_event_logs.toml | 8 +++++--- ...delete_volume_usn_journal_with_fsutil.toml | 7 ++++--- ...deleting_backup_catalogs_with_wbadmin.toml | 7 ++++--- ...ble_windows_firewall_rules_with_netsh.toml | 8 +++++--- ...coding_or_decoding_files_via_certutil.toml | 7 ++++--- ...ecution_msbuild_started_by_office_app.toml | 8 ++++---- ...n_execution_msbuild_started_by_script.toml | 7 ++++--- ...ion_msbuild_started_by_system_process.toml | 7 ++++--- ...ion_execution_msbuild_started_renamed.toml | 8 ++++---- ...cution_msbuild_started_unusal_process.toml | 6 +++--- ...isc_lolbin_connecting_to_the_internet.toml | 8 +++++--- ...e_evasion_modification_of_boot_config.toml | 9 ++++++--- ...ume_shadow_copy_deletion_via_vssadmin.toml | 7 ++++--- ..._volume_shadow_copy_deletion_via_wmic.toml | 7 ++++--- .../discovery_net_command_system_account.toml | 6 ++++-- ...and_prompt_connecting_to_the_internet.toml | 8 +++++--- ...n_command_shell_started_by_powershell.toml | 7 ++++--- ...tion_command_shell_started_by_svchost.toml | 7 ++++--- ...le_program_connecting_to_the_internet.toml | 8 +++++--- .../execution_local_service_commands.toml | 8 +++++--- ...on_msbuild_making_network_connections.toml | 8 +++++--- ...tion_mshta_making_network_connections.toml | 6 +++--- rules/windows/execution_msxsl_network.toml | 8 +++++--- ...ution_psexec_lateral_movement_command.toml | 6 +++--- ...er_program_connecting_to_the_internet.toml | 8 +++++--- ...execution_script_executing_powershell.toml | 8 +++++--- ...on_suspicious_ms_office_child_process.toml | 16 +++++++++++++--- ...n_suspicious_ms_outlook_child_process.toml | 15 ++++++++++++--- .../execution_suspicious_pdf_reader.toml | 13 +++++++++++-- ...usual_network_connection_via_rundll32.toml | 8 +++++--- ...on_unusual_process_network_connection.toml | 8 +++++--- .../execution_via_net_com_assemblies.toml | 4 ++-- ...vement_direct_outbound_smb_connection.toml | 9 ++++++--- .../persistence_adobe_hijack_persistence.toml | 9 ++++++--- ...istence_local_scheduled_task_commands.toml | 8 +++++--- ...ersistence_system_shells_via_services.toml | 8 +++++--- .../persistence_user_account_creation.toml | 9 ++++++--- ...ge_escalation_uac_bypass_event_viewer.toml | 8 +++++--- ...tion_unusual_parentchild_relationship.toml | 19 ++++++++++++++++--- 75 files changed, 362 insertions(+), 231 deletions(-) diff --git a/rules/linux/credential_access_tcpdump_activity.toml b/rules/linux/credential_access_tcpdump_activity.toml index cb3936eb9..fe3eda4f6 100644 --- a/rules/linux/credential_access_tcpdump_activity.toml +++ b/rules/linux/credential_access_tcpdump_activity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/25" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ tags = ["Elastic", "Linux"] type = "query" query = ''' -process.name:tcpdump and event.action:executed +event.category:process and event.type:(start or process_started) and process.name:tcpdump ''' diff --git a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml index e587354c5..a4101037d 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml @@ -1,6 +1,6 @@ [metadata] creation_date = "2020/04/24" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" updated_date = "2020/07/01" @@ -21,11 +21,13 @@ tags = ["Elastic", "Linux"] type = "query" query = ''' -event.action:(executed or process_started) and ( - (process.name:service and process.args:stop) or - (process.name:chkconfig and process.args:off) or - (process.name:systemctl and process.args:(disable or stop or kill)) -) and process.args:(ip6tables or iptables or firewalld) +event.category:process and event.type:(start or process_started) and + process.name:ufw and process.args:(allow or disable or reset) or + + (((process.name:service and process.args:stop) or + (process.name:chkconfig and process.args:off) or + (process.name:systemctl and process.args:(disable or stop or kill))) and + process.args:(firewalld or ip6tables or iptables)) ''' @@ -41,4 +43,3 @@ reference = "https://attack.mitre.org/techniques/T1089/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index 500dce906..58d8295f8 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/04/27" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/04/27" +updated_date = "2020/06/25" [rule] author = ["Elastic"] @@ -21,7 +21,11 @@ tags = ["Elastic", "Linux"] type = "query" query = ''' -event.action:(executed or process_started) and ((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) and process.args:(syslog or rsyslog or "syslog-ng") +event.category:process and event.type:(start or process_started) and + ((process.name:service and process.args:stop) or + (process.name:chkconfig and process.args:off) or + (process.name:systemctl and process.args:(disable or stop or kill))) + and process.args:(syslog or rsyslog or "syslog-ng") ''' diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml index 63eb78b61..d522903a1 100644 --- a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/04/17" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/04/17" +updated_date = "2020/06/25" [rule] author = ["Elastic"] @@ -24,7 +24,8 @@ tags = ["Elastic", "Linux"] type = "query" query = ''' -event.action:(executed or process_started) and process.name:(base16 or base32 or base32plain or base32hex) +event.category:process and event.type:(start or process_started) and + process.name:(base16 or base32 or base32plain or base32hex) ''' diff --git a/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml index f95b6bfd1..55d967cc5 100644 --- a/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/04/17" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/04/17" +updated_date = "2020/06/25" [rule] author = ["Elastic"] @@ -24,7 +24,8 @@ tags = ["Elastic", "Linux"] type = "query" query = ''' -event.action:(executed or process_started) and process.name:(base64 or base64plain or base64url or base64mime or base64pem) +event.category:process and event.type:(start or process_started) and + process.name:(base64 or base64plain or base64url or base64mime or base64pem) ''' diff --git a/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml b/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml index 5b5494c8e..d5ba3ca38 100644 --- a/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml +++ b/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/05/04" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/06/25" [rule] author = ["Elastic"] @@ -21,7 +21,8 @@ tags = ["Elastic", "Linux"] type = "query" query = ''' -event.action:executed AND process.name:rm AND process.args:/\/(home\/.{1,255}|root)\/\.bash_history/ +event.category:process AND event.type:(start or process_started) AND process.name:rm AND + process.args:/\/(home\/.{1,255}|root)\/\.bash_history/ ''' diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml index abb80e89c..2e969a3e9 100644 --- a/rules/linux/defense_evasion_disable_selinux_attempt.toml +++ b/rules/linux/defense_evasion_disable_selinux_attempt.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/04/22" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/04/22" +updated_date = "2020/06/25" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ tags = ["Elastic", "Linux"] type = "query" query = ''' -event.action:executed and process.name:setenforce and process.args:0 +event.category:process and event.type:(start or process_started) and process.name:setenforce and process.args:0 ''' diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index 604099ad7..1a01dded1 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/04/27" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/04/27" +updated_date = "2020/06/25" [rule] author = ["Elastic"] @@ -22,7 +22,8 @@ tags = ["Elastic", "Linux"] type = "query" query = ''' -event.action:(executed or process_started) and process.name:shred and process.args:("-u" or "--remove" or "-z" or "--zero") +event.category:process and event.type:(start or process_started) and process.name:shred and + process.args:("-u" or "--remove" or "-z" or "--zero") ''' diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml index dd2b2cb3c..58ddf298e 100644 --- a/rules/linux/defense_evasion_file_mod_writable_dir.toml +++ b/rules/linux/defense_evasion_file_mod_writable_dir.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/04/21" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/04/21" +updated_date = "2020/06/25" [rule] author = ["Elastic"] @@ -27,7 +27,10 @@ tags = ["Elastic", "Linux"] type = "query" query = ''' -event.action:executed and process.name:(chmod or chown or chattr or chgrp) and process.working_directory:(/tmp or /var/tmp or /dev/shm) and not user.name:root +event.category:process and event.type:(start or process_started) and + process.name:(chmod or chown or chattr or chgrp) and + process.working_directory:(/tmp or /var/tmp or /dev/shm) and + not user.name:root ''' diff --git a/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml index fb6d07a9f..4622d56e0 100644 --- a/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/04/17" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/04/17" +updated_date = "2020/06/25" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ tags = ["Elastic", "Linux"] type = "query" query = ''' -event.action:(executed or process_started) and process.name:(hex or xxd) +event.category:process and event.type:(start or process_started) and process.name:(hexdump or od or xxd) ''' @@ -52,4 +52,3 @@ reference = "https://attack.mitre.org/techniques/T1027/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index 0f0727f79..ff1f8e27e 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/04/29" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/04/29" +updated_date = "2020/06/25" [rule] author = ["Elastic"] @@ -29,7 +29,10 @@ tags = ["Elastic", "Linux"] type = "query" query = ''' -event.action:executed AND process.working_directory:("/tmp" or "/var/tmp" or "/dev/shm") AND process.args:/\.[a-zA-Z0-9_\-][a-zA-Z0-9_\-\.]{1,254}/ AND NOT process.name:(cd or ls or find) +event.category:process AND event.type:(start or process_started) AND + process.working_directory:("/tmp" or "/var/tmp" or "/dev/shm") AND + process.args:/\.[a-zA-Z0-9_\-][a-zA-Z0-9_\-\.]{1,254}/ AND + NOT process.name:(ls or find) ''' @@ -57,4 +60,3 @@ reference = "https://attack.mitre.org/techniques/T1158/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml index d401138c4..99b10e169 100644 --- a/rules/linux/defense_evasion_kernel_module_removal.toml +++ b/rules/linux/defense_evasion_kernel_module_removal.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/04/24" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/04/24" +updated_date = "2020/06/25" [rule] author = ["Elastic"] @@ -29,7 +29,8 @@ tags = ["Elastic", "Linux"] type = "query" query = ''' -event.action:executed and process.args:(rmmod and sudo or modprobe and sudo and ("--remove" or "-r")) +event.category:process and event.type:(start or process_started) and + process.args:((rmmod and sudo) or (modprobe and sudo and ("--remove" or "-r"))) ''' @@ -57,4 +58,3 @@ reference = "https://attack.mitre.org/techniques/T1215/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index b75fb2e6b..1cdafc311 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/04/23" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/04/23" +updated_date = "2020/06/25" [rule] author = ["Elastic"] @@ -28,7 +28,8 @@ tags = ["Elastic", "Linux"] type = "query" query = ''' -event.action:executed and process.args:(kmod and list and sudo or sudo and (depmod or lsmod or modinfo)) +event.category:process and event.type:(start or process_started) and + process.args:(kmod and list and sudo or sudo and (depmod or lsmod or modinfo)) ''' diff --git a/rules/linux/discovery_virtual_machine_fingerprinting.toml b/rules/linux/discovery_virtual_machine_fingerprinting.toml index 07de4f224..910708456 100644 --- a/rules/linux/discovery_virtual_machine_fingerprinting.toml +++ b/rules/linux/discovery_virtual_machine_fingerprinting.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/04/27" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/04/27" +updated_date = "2020/06/25" [rule] author = ["Elastic"] @@ -28,7 +28,13 @@ tags = ["Elastic", "Linux"] type = "query" query = ''' -event.action:executed and process.args:("/sys/class/dmi/id/bios_version" or "/sys/class/dmi/id/product_name" or "/sys/class/dmi/id/chassis_vendor" or "/proc/scsi/scsi" or "/proc/ide/hd0/model") and not user.name:root +event.category:process and event.type:(start or process_started) and + process.args:("/sys/class/dmi/id/bios_version" or + "/sys/class/dmi/id/product_name" or + "/sys/class/dmi/id/chassis_vendor" or + "/proc/scsi/scsi" or + "/proc/ide/hd0/model") and + not user.name:root ''' @@ -44,4 +50,3 @@ reference = "https://attack.mitre.org/techniques/T1082/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/discovery_whoami_commmand.toml b/rules/linux/discovery_whoami_commmand.toml index 47993b690..fae78e977 100644 --- a/rules/linux/discovery_whoami_commmand.toml +++ b/rules/linux/discovery_whoami_commmand.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/25" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ tags = ["Elastic", "Linux"] type = "query" query = ''' -process.name:whoami and event.action:executed +event.category:process and event.type:(start or process_started) and process.name:whoami ''' diff --git a/rules/linux/execution_perl_tty_shell.toml b/rules/linux/execution_perl_tty_shell.toml index 7ad4d2f41..d943e23a0 100644 --- a/rules/linux/execution_perl_tty_shell.toml +++ b/rules/linux/execution_perl_tty_shell.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/04/16" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/04/16" +updated_date = "2020/06/25" [rule] author = ["Elastic"] @@ -21,7 +21,8 @@ tags = ["Elastic", "Linux"] type = "query" query = ''' -event.action:executed and process.name:perl and process.args:("exec \"/bin/sh\";" or "exec \"/bin/dash\";" or "exec \"/bin/bash\";") +event.category:process and event.type:(start or process_started) and process.name:perl and + process.args:("exec \"/bin/sh\";" or "exec \"/bin/dash\";" or "exec \"/bin/bash\";") ''' diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index 8305bca95..a7009e64f 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/04/15" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/04/15" +updated_date = "2020/06/25" [rule] author = ["Elastic"] @@ -21,7 +21,10 @@ tags = ["Elastic", "Linux"] type = "query" query = ''' -event.action:executed and process.name:python and process.args:("import pty; pty.spawn(\"/bin/sh\")" or "import pty; pty.spawn(\"/bin/dash\")" or "import pty; pty.spawn(\"/bin/bash\")") +event.category:process and event.type:(start or process_started) and process.name:python and + process.args:("import pty; pty.spawn(\"/bin/sh\")" or + "import pty; pty.spawn(\"/bin/dash\")" or + "import pty; pty.spawn(\"/bin/bash\")") ''' diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml index 0b55d9134..0e87cbe3b 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_external.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_external.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/04/23" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/04/23" +updated_date = "2020/06/25" [rule] author = ["Elastic"] @@ -29,7 +29,9 @@ tags = ["Elastic", "Linux"] type = "query" query = ''' -event.action:("connected-to" or "network_flow") and process.name:telnet and not destination.ip:(127.0.0.0/8 or 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "FE80::/10" or "::1/128") +event.category:network and event.type:(connection or start) and + process.name:telnet and + not destination.ip:(127.0.0.0/8 or 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "FE80::/10" or "::1/128") ''' diff --git a/rules/linux/lateral_movement_telnet_network_activity_internal.toml b/rules/linux/lateral_movement_telnet_network_activity_internal.toml index fdf65515c..4039828ba 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_internal.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_internal.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/04/23" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/04/23" +updated_date = "2020/06/25" [rule] author = ["Elastic"] @@ -29,7 +29,10 @@ tags = ["Elastic", "Linux"] type = "query" query = ''' -event.action:("connected-to" or "network_flow") and process.name:telnet and destination.ip:((10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "FE80::/10") and not (127.0.0.0/8 or "::1/128")) +event.category:network and event.type:(connection or start) and + process.name:telnet and + destination.ip:((10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "FE80::/10") and + not (127.0.0.0/8 or "::1/128")) ''' diff --git a/rules/linux/linux_hping_activity.toml b/rules/linux/linux_hping_activity.toml index 18bc77c1a..6743e6675 100644 --- a/rules/linux/linux_hping_activity.toml +++ b/rules/linux/linux_hping_activity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/25" [rule] author = ["Elastic"] @@ -28,6 +28,6 @@ tags = ["Elastic", "Linux"] type = "query" query = ''' -process.name:(hping or hping2 or hping3) and event.action:executed +event.category:process and event.type:(start or process_started) and process.name:(hping or hping2 or hping3) ''' diff --git a/rules/linux/linux_iodine_activity.toml b/rules/linux/linux_iodine_activity.toml index 07b1096e9..6edbb8ed2 100644 --- a/rules/linux/linux_iodine_activity.toml +++ b/rules/linux/linux_iodine_activity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/25" [rule] author = ["Elastic"] @@ -28,6 +28,6 @@ tags = ["Elastic", "Linux"] type = "query" query = ''' -process.name:(iodine or iodined) and event.action:executed +event.category:process and event.type:(start or process_started) and process.name:(iodine or iodined) ''' diff --git a/rules/linux/linux_mknod_activity.toml b/rules/linux/linux_mknod_activity.toml index 4ada2fee2..da7970db7 100644 --- a/rules/linux/linux_mknod_activity.toml +++ b/rules/linux/linux_mknod_activity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/25" [rule] author = ["Elastic"] @@ -28,6 +28,6 @@ tags = ["Elastic", "Linux"] type = "query" query = ''' -process.name:mknod and event.action:executed +event.category:process and event.type:(start or process_started) and process.name:mknod ''' diff --git a/rules/linux/linux_netcat_network_connection.toml b/rules/linux/linux_netcat_network_connection.toml index 7c195d0ab..e0f83950f 100644 --- a/rules/linux/linux_netcat_network_connection.toml +++ b/rules/linux/linux_netcat_network_connection.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/25" [rule] author = ["Elastic"] @@ -34,6 +34,7 @@ tags = ["Elastic", "Linux"] type = "query" query = ''' -process.name:(nc or ncat or netcat or netcat.openbsd or netcat.traditional) and event.action:(bound-socket or connected-to or socket_opened) +event.category:network and event.type:(access or connection or start) and + process.name:(nc or ncat or netcat or netcat.openbsd or netcat.traditional) ''' diff --git a/rules/linux/linux_nmap_activity.toml b/rules/linux/linux_nmap_activity.toml index f003bf0d1..3de1c6f12 100644 --- a/rules/linux/linux_nmap_activity.toml +++ b/rules/linux/linux_nmap_activity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/25" [rule] author = ["Elastic"] @@ -30,6 +30,6 @@ tags = ["Elastic", "Linux"] type = "query" query = ''' -process.name:nmap +event.category:process and event.type:(start or process_started) and process.name:nmap ''' diff --git a/rules/linux/linux_nping_activity.toml b/rules/linux/linux_nping_activity.toml index d901685e9..5ef0f79cb 100644 --- a/rules/linux/linux_nping_activity.toml +++ b/rules/linux/linux_nping_activity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/25" [rule] author = ["Elastic"] @@ -28,6 +28,6 @@ tags = ["Elastic", "Linux"] type = "query" query = ''' -process.name:nping and event.action:executed +event.category:process and event.type:(start or process_started) and process.name:nping ''' diff --git a/rules/linux/linux_process_started_in_temp_directory.toml b/rules/linux/linux_process_started_in_temp_directory.toml index 4bcd55d54..fdb0c633a 100644 --- a/rules/linux/linux_process_started_in_temp_directory.toml +++ b/rules/linux/linux_process_started_in_temp_directory.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/25" [rule] author = ["Elastic"] @@ -24,6 +24,6 @@ tags = ["Elastic", "Linux"] type = "query" query = ''' -process.working_directory:/tmp and event.action:executed +event.category:process and event.type:(start or process_started) and process.working_directory:/tmp ''' diff --git a/rules/linux/linux_socat_activity.toml b/rules/linux/linux_socat_activity.toml index 185c69039..dcf23c241 100644 --- a/rules/linux/linux_socat_activity.toml +++ b/rules/linux/linux_socat_activity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/25" [rule] author = ["Elastic"] @@ -29,6 +29,6 @@ tags = ["Elastic", "Linux"] type = "query" query = ''' -process.name:socat and not process.args:-V and event.action:executed +event.category:process and event.type:(start or process_started) and process.name:socat and not process.args:-V ''' diff --git a/rules/linux/linux_strace_activity.toml b/rules/linux/linux_strace_activity.toml index 5fb37a46e..ddf7e9c47 100644 --- a/rules/linux/linux_strace_activity.toml +++ b/rules/linux/linux_strace_activity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/25" [rule] author = ["Elastic"] @@ -28,6 +28,6 @@ tags = ["Elastic", "Linux"] type = "query" query = ''' -process.name:strace and event.action:executed +event.category:process and event.type:(start or process_started) and process.name:strace ''' diff --git a/rules/linux/persistence_kernel_module_activity.toml b/rules/linux/persistence_kernel_module_activity.toml index f6edf09d8..2b845cd99 100644 --- a/rules/linux/persistence_kernel_module_activity.toml +++ b/rules/linux/persistence_kernel_module_activity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/25" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ tags = ["Elastic", "Linux"] type = "query" query = ''' -process.name:(insmod or kmod or modprobe or rmod) and event.action:executed +event.category:process and event.type:(start or process_started) and process.name:(insmod or kmod or modprobe or rmod) ''' diff --git a/rules/linux/persistence_shell_activity_by_web_server.toml b/rules/linux/persistence_shell_activity_by_web_server.toml index 4c5d3c683..309e66174 100644 --- a/rules/linux/persistence_shell_activity_by_web_server.toml +++ b/rules/linux/persistence_shell_activity_by_web_server.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/25" [rule] author = ["Elastic"] @@ -25,7 +25,8 @@ tags = ["Elastic", "Linux"] type = "query" query = ''' -process.name:(bash or dash) and user.name:(apache or nginx or www or "www-data") and event.action:executed +event.category:process and event.type:(start or process_started) and process.name:(bash or dash) and + user.name:(apache or nginx or www or "www-data") ''' diff --git a/rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml b/rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml index 12bc29c34..cd7eab95e 100644 --- a/rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml +++ b/rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/04/23" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/04/23" +updated_date = "2020/06/25" [rule] author = ["Elastic"] @@ -24,7 +24,9 @@ tags = ["Elastic", "Linux"] type = "query" query = ''' -event.action:(executed OR process_started) AND process.name:chmod AND process.args:(g+s OR /2[0-9]{3}/) AND NOT user.name:root +event.category:process AND event.type:(start or process_started) AND process.name:chmod AND + process.args:(g+s OR /2[0-9]{3}/) AND + NOT user.name:root ''' diff --git a/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml b/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml index 4a69da17b..4e18554d2 100644 --- a/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml +++ b/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/04/23" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/04/23" +updated_date = "2020/06/25" [rule] author = ["Elastic"] @@ -24,7 +24,9 @@ tags = ["Elastic", "Linux"] type = "query" query = ''' -event.action:(executed OR process_started) AND process.name:chmod AND process.args:(u+s OR /4[0-9]{3}/) AND NOT user.name:root +event.category:process AND event.type:(start or process_started) AND process.name:chmod AND + process.args:(u+s OR /4[0-9]{3}/) AND + NOT user.name:root ''' diff --git a/rules/linux/privilege_escalation_sudoers_file_mod.toml b/rules/linux/privilege_escalation_sudoers_file_mod.toml index 9a379d8c9..799cb1577 100644 --- a/rules/linux/privilege_escalation_sudoers_file_mod.toml +++ b/rules/linux/privilege_escalation_sudoers_file_mod.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/04/13" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/04/13" +updated_date = "2020/06/25" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ tags = ["Elastic", "Linux"] type = "query" query = ''' -event.module:file_integrity and event.action:updated and file.path:/etc/sudoers +event.category:file and event.type:change and file.path:/etc/sudoers ''' diff --git a/rules/windows/command_and_control_certutil_network_connection.toml b/rules/windows/command_and_control_certutil_network_connection.toml index 7cfd55586..fd83e419d 100644 --- a/rules/windows/command_and_control_certutil_network_connection.toml +++ b/rules/windows/command_and_control_certutil_network_connection.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/19" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/03/19" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -21,7 +21,8 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -process.name:certutil.exe and event.action:"Network connection detected (rule: NetworkConnect)" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) +event.category:network and event.type:connection and process.name:certutil.exe and + not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ''' diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml index 1dda8346c..72f64ca72 100755 --- a/rules/windows/credential_access_credential_dumping_msbuild.toml +++ b/rules/windows/credential_access_credential_dumping_msbuild.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/03/25" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -22,8 +22,10 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -(winlog.event_data.OriginalFileName: (vaultcli.dll or SAMLib.DLL) or dll.name: (vaultcli.dll or SAMLib.DLL)) and - process.name: MSBuild.exe and event.action: "Image loaded (rule: ImageLoad)" +event.category:process and event.type:change and + (winlog.event_data.OriginalFileName:(vaultcli.dll or SAMLib.DLL) or + dll.name:(vaultcli.dll or SAMLib.DLL)) and + process.name: MSBuild.exe ''' diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index 00a44f62f..aad135ad9 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -event.action:"Process Create (rule: ProcessCreate)" and process.name:attrib.exe and process.args:+h +event.category:process and event.type:(start or process_started) and process.name:attrib.exe and process.args:+h ''' diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index 43b54c591..a6de720d8 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -event.action:"Process Create (rule: ProcessCreate)" and process.name:wevtutil.exe and process.args:cl or process.name:powershell.exe and process.args:Clear-EventLog +event.category:process and event.type:(start or process_started) and + process.name:wevtutil.exe and process.args:cl or + process.name:powershell.exe and process.args:Clear-EventLog ''' diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml index 8b8fc9fde..977bddbf8 100644 --- a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -21,7 +21,8 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -event.action:"Process Create (rule: ProcessCreate)" and process.name:fsutil.exe and process.args:(deletejournal and usn) +event.category:process and event.type:(start or process_started) and + process.name:fsutil.exe and process.args:(deletejournal and usn) ''' diff --git a/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml index affc6fc60..1c6b11577 100644 --- a/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -21,7 +21,8 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -event.action:"Process Create (rule: ProcessCreate)" and process.name:wbadmin.exe and process.args:(catalog and delete) +event.category:process and event.type:(start or process_started) and + process.name:wbadmin.exe and process.args:(catalog and delete) ''' diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index e88b9addb..8fb39ae61 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -event.action:"Process Create (rule: ProcessCreate)" and process.name:netsh.exe and process.args:(disable and firewall and set) or process.args:(advfirewall and off and state) +event.category:process and event.type:(start or process_started) and + process.name:netsh.exe and + process.args:(disable and firewall and set) or process.args:(advfirewall and off and state) ''' diff --git a/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml b/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml index 0a84b2f68..af957a6b5 100644 --- a/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml +++ b/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -22,7 +22,8 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -event.action:"Process Create (rule: ProcessCreate)" and process.name:certutil.exe and process.args:(-decode or -encode or /decode or /encode) +event.category:process and event.type:(start or process_started) and + process.name:certutil.exe and process.args:(-decode or -encode or /decode or /encode) ''' diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index 594460d2f..999768519 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/03/25" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -28,10 +28,10 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -process.name:MSBuild.exe and +event.category:process and event.type:(start or process_started) and + process.name:MSBuild.exe and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or - mspub.exe or outlook.exe or powerpnt.exe or winword.exe) and - event.action: "Process Create (rule: ProcessCreate)" + mspub.exe or outlook.exe or powerpnt.exe or winword.exe) ''' diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index 4d5dbc31f..0182da573 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/03/25" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -22,8 +22,9 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -process.name:MSBuild.exe and process.parent.name:(cmd.exe or powershell.exe or cscript.exe or wscript.exe) and - event.action:"Process Create (rule: ProcessCreate)" +event.category:process and event.type: start and + process.name:MSBuild.exe and + process.parent.name:(cmd.exe or powershell.exe or cscript.exe or wscript.exe) ''' diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index 558b1569c..0483453ac 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/03/25" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -22,8 +22,9 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -process.name:MSBuild.exe and process.parent.name:(explorer.exe or wmiprvse.exe) and - event.action:"Process Create (rule: ProcessCreate)" +event.category:process and event.type:(start or process_started) and + process.name:MSBuild.exe and + process.parent.name:(explorer.exe or wmiprvse.exe) ''' diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index 5338266e4..fe5653dda 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/03/25" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -22,9 +22,9 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -(pe.original_file_name:MSBuild.exe or winlog.event_data.OriginalFileName: MSBuild.exe) and - not process.name: MSBuild.exe and - event.action: "Process Create (rule: ProcessCreate)" +event.category:process and event.type:(start or process_started) and + (pe.original_file_name:MSBuild.exe or winlog.event_data.OriginalFileName:MSBuild.exe) and + not process.name: MSBuild.exe ''' diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index b638e1067..0e2d97e1f 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/03/25" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -28,7 +28,8 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -process.parent.name:MSBuild.exe and process.name:(csc.exe or iexplore.exe or powershell.exe) +event.category:process and event.type:(start or process_started) and + process.parent.name:MSBuild.exe and process.name:(csc.exe or iexplore.exe or powershell.exe) ''' @@ -44,4 +45,3 @@ reference = "https://attack.mitre.org/techniques/T1500/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml index 16f644ceb..36b7b839f 100644 --- a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +++ b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -22,7 +22,9 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -process.name:(expand.exe or extrac.exe or ieexec.exe or makecab.exe) and event.action:"Network connection detected (rule: NetworkConnect)" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) +event.category:network and event.type:connection and + process.name:(expand.exe or extrac.exe or ieexec.exe or makecab.exe) and + not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ''' diff --git a/rules/windows/defense_evasion_modification_of_boot_config.toml b/rules/windows/defense_evasion_modification_of_boot_config.toml index d2022456a..a9a5b77d3 100644 --- a/rules/windows/defense_evasion_modification_of_boot_config.toml +++ b/rules/windows/defense_evasion_modification_of_boot_config.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/16" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/03/16" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -21,7 +21,10 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -event.action:"Process Create (rule: ProcessCreate)" and process.name:bcdedit.exe and process.args:(/set and (bootstatuspolicy and ignoreallfailures or no and recoveryenabled)) +event.category:process and event.type:(start or process_started) and + process.name:bcdedit.exe and + process.args:(/set and + (bootstatuspolicy and ignoreallfailures or no and recoveryenabled)) ''' diff --git a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml index e386d8841..0a2589397 100644 --- a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml +++ b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -21,7 +21,8 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -event.action:"Process Create (rule: ProcessCreate)" and process.name:vssadmin.exe and process.args:(delete and shadows) +event.category:process and event.type:(start or process_started) and + process.name:vssadmin.exe and process.args:(delete and shadows) ''' diff --git a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml index b5787d70b..347eb6273 100644 --- a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -21,7 +21,8 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -event.action:"Process Create (rule: ProcessCreate)" and process.name:WMIC.exe and process.args:(delete and shadowcopy) +event.category:process and event.type:(start or process_started) and + process.name:WMIC.exe and process.args:(delete and shadowcopy) ''' diff --git a/rules/windows/discovery_net_command_system_account.toml b/rules/windows/discovery_net_command_system_account.toml index 21621e007..768769e2f 100644 --- a/rules/windows/discovery_net_command_system_account.toml +++ b/rules/windows/discovery_net_command_system_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/03/18" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -(process.name:net.exe or process.name:net1.exe and not process.parent.name:net.exe) and user.name:SYSTEM and event.action:"Process Create (rule: ProcessCreate)" +event.category:process and event.type:(start or process_started) and + (process.name:net.exe or process.name:net1.exe and not process.parent.name:net.exe) and + user.name:SYSTEM ''' diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml index e6a0c394b..34a9fd643 100644 --- a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -27,7 +27,9 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -process.name:cmd.exe and event.action:"Network connection detected (rule: NetworkConnect)" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) +event.category:network and event.type:connection and + process.name:cmd.exe and + not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ''' diff --git a/rules/windows/execution_command_shell_started_by_powershell.toml b/rules/windows/execution_command_shell_started_by_powershell.toml index bda6ef59f..5360f52b6 100644 --- a/rules/windows/execution_command_shell_started_by_powershell.toml +++ b/rules/windows/execution_command_shell_started_by_powershell.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -18,7 +18,8 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -process.parent.name:powershell.exe and process.name:cmd.exe +event.category:process and event.type:(start or process_started) and + process.parent.name:powershell.exe and process.name:cmd.exe ''' diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index 3f98c5541..bff9c2059 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -18,7 +18,8 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -process.parent.name:svchost.exe and process.name:cmd.exe +event.category:process and event.type:(start or process_started) and + process.parent.name:svchost.exe and process.name:cmd.exe ''' diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index 8082880d4..f9d145f7e 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -22,7 +22,9 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -process.name:hh.exe and event.action:"Network connection detected (rule: NetworkConnect)" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) +event.category:network and event.type:connection and + process.name:hh.exe and + not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ''' diff --git a/rules/windows/execution_local_service_commands.toml b/rules/windows/execution_local_service_commands.toml index 4a29218ec..164ba1220 100644 --- a/rules/windows/execution_local_service_commands.toml +++ b/rules/windows/execution_local_service_commands.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -event.action:"Process Create (rule: ProcessCreate)" and process.name:sc.exe and process.args:(config or create or failure or start) +event.category:process and event.type:(start or process_started) and + process.name:sc.exe and + process.args:(config or create or failure or start) ''' diff --git a/rules/windows/execution_msbuild_making_network_connections.toml b/rules/windows/execution_msbuild_making_network_connections.toml index 354f376f9..b9ec2cd94 100644 --- a/rules/windows/execution_msbuild_making_network_connections.toml +++ b/rules/windows/execution_msbuild_making_network_connections.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -event.action:"Network connection detected (rule: NetworkConnect)" and process.name:MSBuild.exe and not destination.ip:(127.0.0.1 or "::1") +event.category:network and event.type:connection and + process.name:MSBuild.exe and + not destination.ip:(127.0.0.1 or "::1") ''' diff --git a/rules/windows/execution_mshta_making_network_connections.toml b/rules/windows/execution_mshta_making_network_connections.toml index 2ab44b42d..d2c4d2ae9 100644 --- a/rules/windows/execution_mshta_making_network_connections.toml +++ b/rules/windows/execution_mshta_making_network_connections.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -event.action:"Network connection detected (rule: NetworkConnect)" and process.name:mshta.exe +event.category:network and event.type:connection and process.name:mshta.exe ''' diff --git a/rules/windows/execution_msxsl_network.toml b/rules/windows/execution_msxsl_network.toml index 76b0b36bf..313af1ba0 100644 --- a/rules/windows/execution_msxsl_network.toml +++ b/rules/windows/execution_msxsl_network.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/03/18" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -process.name:msxsl.exe and event.action:"Network connection detected (rule: NetworkConnect)" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) +event.category:network and event.type:connection and + process.name:msxsl.exe and + not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ''' diff --git a/rules/windows/execution_psexec_lateral_movement_command.toml b/rules/windows/execution_psexec_lateral_movement_command.toml index eb4e3bf7a..717d68463 100644 --- a/rules/windows/execution_psexec_lateral_movement_command.toml +++ b/rules/windows/execution_psexec_lateral_movement_command.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -process.name:PsExec.exe and event.action:"Network connection detected (rule: NetworkConnect)" +event.category:network and event.type:connection and process.name:PsExec.exe ''' diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index 8ebaf8e71..694875822 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -27,7 +27,9 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -process.name:(regsvr32.exe or regsvr64.exe) and event.action:"Network connection detected (rule: NetworkConnect)" and not destination.ip:(10.0.0.0/8 or 169.254.169.254 or 172.16.0.0/12 or 192.168.0.0/16) +event.category:network and event.type:connection and + process.name:(regsvr32.exe or regsvr64.exe) and + not destination.ip:(10.0.0.0/8 or 169.254.169.254 or 172.16.0.0/12 or 192.168.0.0/16) ''' diff --git a/rules/windows/execution_script_executing_powershell.toml b/rules/windows/execution_script_executing_powershell.toml index af48522e0..5579eafef 100644 --- a/rules/windows/execution_script_executing_powershell.toml +++ b/rules/windows/execution_script_executing_powershell.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -event.action:"Process Create (rule: ProcessCreate)" and process.parent.name:(cscript.exe or wscript.exe) and process.name:powershell.exe +event.category:process and event.type:(start or process_started) and + process.parent.name:(cscript.exe or wscript.exe) and + process.name:powershell.exe ''' diff --git a/rules/windows/execution_suspicious_ms_office_child_process.toml b/rules/windows/execution_suspicious_ms_office_child_process.toml index bc008c354..1f1c2c5fd 100644 --- a/rules/windows/execution_suspicious_ms_office_child_process.toml +++ b/rules/windows/execution_suspicious_ms_office_child_process.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -22,7 +22,17 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -event.action:"Process Create (rule: ProcessCreate)" and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or powerpnt.exe or winword.exe) and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe) +event.category:process and event.type:(start or process_started) and + process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or + mspub.exe or powerpnt.exe or winword.exe) and + process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or bginfo.exe or bitsadmin.exe or cdb.exe or + certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or + forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or + installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or + netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or + qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or + regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or + wmic.exe or wscript.exe or xwizard.exe) ''' diff --git a/rules/windows/execution_suspicious_ms_outlook_child_process.toml b/rules/windows/execution_suspicious_ms_outlook_child_process.toml index 5331edc98..4a9c196da 100644 --- a/rules/windows/execution_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/execution_suspicious_ms_outlook_child_process.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -21,7 +21,16 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -event.action:"Process Create (rule: ProcessCreate)" and process.parent.name:outlook.exe and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe) +event.category:process and event.type:(start or process_started) and + process.parent.name:outlook.exe and + process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or bginfo.exe or bitsadmin.exe or cdb.exe or + certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or + forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or + installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or + netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or + qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or + regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or + wmic.exe or wscript.exe or xwizard.exe) ''' diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index b144d212e..b9b12a27f 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/30" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/03/30" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -21,7 +21,16 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -event.action:"Process Create (rule: ProcessCreate)" and process.parent.name:(AcroRd32.exe or Acrobat.exe or FoxitPhantomPDF.exe or FoxitReader.exe) and process.name:(arp.exe or dsquery.exe or dsget.exe or gpresult.exe or hostname.exe or ipconfig.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or ping.exe or qprocess.exe or quser.exe or qwinsta.exe or reg.exe or sc.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or installutil.exe or Microsoft.Workflow.Compiler.exe or msbuild.exe or mshta.exe or msxsl.exe or odbcconf.exe or rcsi.exe or regsvr32.exe or xwizard.exe or atbroker.exe or forfiles.exe or schtasks.exe or regasm.exe or regsvcs.exe or cmd.exe or cscript.exe or powershell.exe or pwsh.exe or wmic.exe or wscript.exe or bitsadmin.exe or certutil.exe or ftp.exe) +event.category:process and event.type:(start or process_started) and + process.parent.name:(AcroRd32.exe or Acrobat.exe or FoxitPhantomPDF.exe or FoxitReader.exe) and + process.name:(arp.exe or dsquery.exe or dsget.exe or gpresult.exe or hostname.exe or ipconfig.exe or nbtstat.exe or + net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or ping.exe or qprocess.exe or + quser.exe or qwinsta.exe or reg.exe or sc.exe or systeminfo.exe or tasklist.exe or tracert.exe or + whoami.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or + iexpress.exe or installutil.exe or Microsoft.Workflow.Compiler.exe or msbuild.exe or mshta.exe or + msxsl.exe or odbcconf.exe or rcsi.exe or regsvr32.exe or xwizard.exe or atbroker.exe or forfiles.exe or + schtasks.exe or regasm.exe or regsvcs.exe or cmd.exe or cscript.exe or powershell.exe or pwsh.exe or + wmic.exe or wscript.exe or bitsadmin.exe or certutil.exe or ftp.exe) ''' diff --git a/rules/windows/execution_unusual_network_connection_via_rundll32.toml b/rules/windows/execution_unusual_network_connection_via_rundll32.toml index b38117e22..1b5d9cb12 100644 --- a/rules/windows/execution_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/execution_unusual_network_connection_via_rundll32.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -process.name:rundll32.exe and event.action:"Network connection detected (rule: NetworkConnect)" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or 127.0.0.0/8) +event.category:network and event.type:connection and + process.name:rundll32.exe and + not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or 127.0.0.0/8) ''' diff --git a/rules/windows/execution_unusual_process_network_connection.toml b/rules/windows/execution_unusual_process_network_connection.toml index 5d95a3a7e..572834f6a 100644 --- a/rules/windows/execution_unusual_process_network_connection.toml +++ b/rules/windows/execution_unusual_process_network_connection.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -event.action:"Network connection detected (rule: NetworkConnect)" and process.name:(Microsoft.Workflow.Compiler.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or odbcconf.exe or rcsi.exe or xwizard.exe) +event.category:network and event.type:connection and + process.name:(Microsoft.Workflow.Compiler.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or + fsi.exe or ieexec.exe or iexpress.exe or odbcconf.exe or rcsi.exe or xwizard.exe) ''' diff --git a/rules/windows/execution_via_net_com_assemblies.toml b/rules/windows/execution_via_net_com_assemblies.toml index f7685d521..617f783bb 100644 --- a/rules/windows/execution_via_net_com_assemblies.toml +++ b/rules/windows/execution_via_net_com_assemblies.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/03/25" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -process.name:(RegAsm.exe or RegSvcs.exe) and event.action:"Process Create (rule: ProcessCreate)" +event.category:process and event.type:(start or process_started) and process.name:(RegAsm.exe or RegSvcs.exe) ''' diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml index e49c03959..1bd9b034e 100644 --- a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml +++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -23,7 +23,10 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -event.action:"Network connection detected (rule: NetworkConnect)" and destination.port:445 and not process.pid:4 and not destination.ip:(127.0.0.1 or "::1") +event.category:network and event.type:connection and + destination.port:445 and + not process.pid:4 and + not destination.ip:(127.0.0.1 or "::1") ''' diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index ac8e3f82e..012e4597d 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -18,7 +18,10 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -file.path:("C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" or "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe") and event.action:"File created (rule: FileCreate)" and not process.name:msiexec.exe +event.category:file and event.type:creation and + file.path:("C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" or + "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe") and + not process.name:msiexec.exe ''' diff --git a/rules/windows/persistence_local_scheduled_task_commands.toml b/rules/windows/persistence_local_scheduled_task_commands.toml index 039beb68a..864e1c44b 100644 --- a/rules/windows/persistence_local_scheduled_task_commands.toml +++ b/rules/windows/persistence_local_scheduled_task_commands.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -19,7 +19,9 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -event.action:"Process Create (rule: ProcessCreate)" and process.name:schtasks.exe and process.args:(-change or -create or -run or -s or /S or /change or /create or /run) +event.category:process and event.type:(start or process_started) and + process.name:schtasks.exe and + process.args:(-change or -create or -run or -s or /S or /change or /create or /run) ''' diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index ace8234cc..307d03354 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -event.action:"Process Create (rule: ProcessCreate)" and process.parent.name:services.exe and process.name:(cmd.exe or powershell.exe) +event.category:process and event.type:(start or process_started) and + process.parent.name:services.exe and + process.name:(cmd.exe or powershell.exe) ''' diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index eae6cfced..d0a5683af 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -21,7 +21,10 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -event.action:"Process Create (rule: ProcessCreate)" and process.name:(net.exe or net1.exe) and not process.parent.name:net.exe and process.args:(user and (/ad or /add)) +event.category:process and event.type:(start or process_started) and + process.name:(net.exe or net1.exe) and + not process.parent.name:net.exe and + process.args:(user and (/ad or /add)) ''' diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index ea2299caa..81c05f87f 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/17" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/03/17" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -process.parent.name:eventvwr.exe and event.action:"Process Create (rule: ProcessCreate)" and not process.executable:("C:\Windows\SysWOW64\mmc.exe" or "C:\Windows\System32\mmc.exe") +event.category:process and event.type:(start or process_started) and + process.parent.name:eventvwr.exe and + not process.executable:("C:\Windows\SysWOW64\mmc.exe" or "C:\Windows\System32\mmc.exe") ''' diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index dbed845fa..ef731f2bd 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -ecs_version = ["1.4.0"] +ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/06/24" [rule] author = ["Elastic"] @@ -21,7 +21,20 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -event.action:"Process Create (rule: ProcessCreate)" and process.parent.executable:* and (process.name:smss.exe and not process.parent.name:(System or smss.exe) or process.name:csrss.exe and not process.parent.name:(smss.exe or svchost.exe) or process.name:wininit.exe and not process.parent.name:smss.exe or process.name:winlogon.exe and not process.parent.name:smss.exe or process.name:lsass.exe and not process.parent.name:wininit.exe or process.name:LogonUI.exe and not process.parent.name:(wininit.exe or winlogon.exe) or process.name:services.exe and not process.parent.name:wininit.exe or process.name:svchost.exe and not process.parent.name:(MsMpEng.exe or services.exe) or process.name:spoolsv.exe and not process.parent.name:services.exe or process.name:taskhost.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:taskhostw.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:userinit.exe and not process.parent.name:(dwm.exe or winlogon.exe)) +event.category:process and event.type:(start or process_started) and + process.parent.executable:* and + (process.name:smss.exe and not process.parent.name:(System or smss.exe) or + process.name:csrss.exe and not process.parent.name:(smss.exe or svchost.exe) or + process.name:wininit.exe and not process.parent.name:smss.exe or + process.name:winlogon.exe and not process.parent.name:smss.exe or + process.name:lsass.exe and not process.parent.name:wininit.exe or + process.name:LogonUI.exe and not process.parent.name:(wininit.exe or winlogon.exe) or + process.name:services.exe and not process.parent.name:wininit.exe or + process.name:svchost.exe and not process.parent.name:(MsMpEng.exe or services.exe) or + process.name:spoolsv.exe and not process.parent.name:services.exe or + process.name:taskhost.exe and not process.parent.name:(services.exe or svchost.exe) or + process.name:taskhostw.exe and not process.parent.name:(services.exe or svchost.exe) or + process.name:userinit.exe and not process.parent.name:(dwm.exe or winlogon.exe)) '''