diff --git a/rules/cross-platform/lateral_movement_remote_file_creation_in_sensitive_directory.toml b/rules/cross-platform/lateral_movement_remote_file_creation_in_sensitive_directory.toml index 59cd85aff..c57b924e1 100644 --- a/rules/cross-platform/lateral_movement_remote_file_creation_in_sensitive_directory.toml +++ b/rules/cross-platform/lateral_movement_remote_file_creation_in_sensitive_directory.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Avoding rule duplication for <= 8.8 stack versions" min_stack_version = "8.9.0" -updated_date = "2023/10/12" +updated_date = "2024/03/11" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ index = ["logs-endpoint.events.*"] interval = "5m" language = "eql" license = "Elastic License v2" -name = "Remote File Creation on a Sensitive Directory" +name = "Deprecated - Remote File Creation on a Sensitive Directory" references = ["https://www.elastic.co/es/blog/remote-desktop-protocol-connections-elastic-security"] risk_score = 47 rule_id = "2377946d-0f01-4957-8812-6878985f515d" @@ -27,16 +27,18 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where (event.action == "creation" or event.action == "modification") and -process.name:("System", "scp", "sshd", "smbd", "vsftpd", "sftp-server") and not -user.name:("SYSTEM", "root") and -(file.path : ("C*\\Users\\*\\AppData\\Roaming*", "C*\\Program*Files\\*", - "C*\\Windows\\*", "C*\\Windows\\System\\*", - "C*\\Windows\\System32\\*", "/etc/*", "/tmp*", - "/var/tmp*", "/home/*/.*", "/home/.*", "/usr/bin/*", - "/sbin/*", "/bin/*", "/usr/lib/*", "/usr/sbin/*", - "/usr/share/*", "/usr/local/*", "/var/lib/dpkg/*", - "/lib/systemd/*" +file where event.action in ("creation", "modification") and + not user.name:("SYSTEM", "root") and + process.name in ("System", "scp", "sshd", "smbd", "vsftpd", "sftp-server") and + ( + file.path : ( + "?:\\Users\\*\\AppData\\Roaming*", "?:\\Program Files*", + "?:\\Windows\\*", "?:\\Windows\\System\\*", + "?:\\Windows\\System32\\*", "/etc/*", "/tmp*", + "/var/tmp*", "/home/*/.*", "/home/.*", "/usr/bin/*", + "/sbin/*", "/bin/*", "/usr/lib/*", "/usr/sbin/*", + "/usr/share/*", "/usr/local/*", "/var/lib/dpkg/*", + "/lib/systemd/*" ) ) ''' diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml index aaed54042..834038fb7 100644 --- a/rules/windows/persistence_registry_uncommon.toml +++ b/rules/windows/persistence_registry_uncommon.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/01/22" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Detects changes to registry persistence keys that are not commonly used or modif be an indication of an adversary's attempt to persist in a stealthy manner. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.registry*"] language = "eql" license = "Elastic License v2" name = "Uncommon Registry Persistence Change" @@ -28,8 +28,8 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where host.os.type == "windows" and - /* uncomment once stable length(registry.data.strings) > 0 and */ +registry where host.os.type == "windows" and event.type in ("creation", "change") and + length(registry.data.strings) > 0 and registry.path : ( "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\*", "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce\\*", diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index 930c62158..94a4abcac 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/10/23" +updated_date = "2024/01/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -39,7 +39,7 @@ Identifies script engines creating files in the Startup folder, or the creation Adversaries may abuse this technique to maintain persistence in an environment. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.file*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Persistent Scripts in the Startup Directory" @@ -116,7 +116,10 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where host.os.type == "windows" and event.type != "deletion" and user.domain != "NT AUTHORITY" and +file where host.os.type == "windows" and event.type != "deletion" and + + file.extension : ("lnk", "vbs", "vbe", "wsh", "wsf", "js") and + not (startsWith(user.domain, "NT") or endsWith(user.domain, "NT")) and /* detect shortcuts created by wscript.exe or cscript.exe */ (file.path : "C:\\*\\Programs\\Startup\\*.lnk" and