diff --git a/etc/version.lock.json b/etc/version.lock.json index 243a8d850..676bce07a 100644 --- a/etc/version.lock.json +++ b/etc/version.lock.json @@ -6,18 +6,18 @@ }, "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { "rule_name": "System Shells via Services", - "sha256": "f68a9dce69186cf8572e292ecf08940d2147a15758ea95fdc2c7f088de2b90cf", - "version": 3 + "sha256": "6d47bcc98a871cdd3e70fe35d093133b1c731a17ffb0c7ea03fd0d61fc00dc02", + "version": 4 }, "041d4d41-9589-43e2-ba13-5680af75ebc2": { "rule_name": "Potential DNS Tunneling via Iodine", - "sha256": "b5191f150c1ebb72435b3d9f7fa94f5899d19721c18e0bdaa29fd60fa8467bc7", - "version": 3 + "sha256": "c17a009f2b1b2146fcda7e2375a6560d89536bca1d9fcc52ad5c444b4bcfc179", + "version": 4 }, "05e5a668-7b51-4a67-93ab-e9af405c9ef3": { "rule_name": "Interactive Terminal Spawned via Perl", - "sha256": "d0be61c3e42cf4bde25d38756c9c22b8a22823b69d30a865812f5df76e36694f", - "version": 2 + "sha256": "d88cc0ea7309e063e63b8241cc54e7e269ae1b33866dd3bf8f46c438d0d308d7", + "version": 3 }, "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { "rule_name": "Potential Evasion via Filter Manager", @@ -41,28 +41,28 @@ }, "0d69150b-96f8-467c-a86d-a67a3378ce77": { "rule_name": "Nping Process Activity", - "sha256": "c85589b020359d809d3f65951b4cee3cc7c10da104effeeaa2fc920eed8ff4a6", - "version": 3 + "sha256": "182668d6e35a7cd6ee4f8c9d4c8254a38d117cae8f100783156fcb793fbe0fac", + "version": 4 }, "0e79980b-4250-4a50-a509-69294c14e84b": { "rule_name": "MsBuild Making Network Connections", - "sha256": "11cb63b795999bdd1ea0eb1d4cbf5c6b8d86c4945a480136eeaa80f9161fd522", - "version": 3 + "sha256": "fa80576323984a1cdbae7de84168b41ea9aa136a4d4eb5b1881c30927aa2d72e", + "version": 4 }, "0f616aee-8161-4120-857e-742366f5eeb3": { "rule_name": "PowerShell spawning Cmd", - "sha256": "823211d2d9e7031bcc9ea0b8602b7e2dda7d6cf7b53dee522c071d8fd2a71d2a", - "version": 3 + "sha256": "059dc81a07c9f3e03e8a0789bff2cb08a59001fdf8fe3a1cb0bcda6d3caa7bc1", + "version": 4 }, "120559c6-5e24-49f4-9e30-8ffe697df6b9": { "rule_name": "User Discovery via Whoami", - "sha256": "5b24e533677a2f73bf8b544ce6fbf607947458de6b8882958699b9598a3d4a60", - "version": 3 + "sha256": "07e4c45585d14e41fadd1bb2f2d089924be88eeb447ed751d600b3ea06d118f2", + "version": 4 }, "125417b8-d3df-479f-8418-12d7e034fee3": { "rule_name": "Attempt to Disable IPTables or Firewall", - "sha256": "cbc8586826f96d5f656bee2ad503dd04e7969434458387de04f4064d8339fa9f", - "version": 2 + "sha256": "59632e186f6b83ff142f1be24f88219a64b9eba91582c6d1151737be05565348", + "version": 3 }, "139c7458-566a-410c-a5cd-f80238d6a5cd": { "rule_name": "SQL Traffic to the Internet", @@ -121,13 +121,13 @@ }, "1aa9181a-492b-4c01-8b16-fa0735786b2b": { "rule_name": "User Account Creation", - "sha256": "74696927e06e5fe8c85631d79fbe1c3a4a6b4050e8a47bbe7c15189a0407a7fb", - "version": 3 + "sha256": "402a5e361bf78100cbd475dfe6d13b574e07edaa4fd6515e9c6ad9b2cb741ec4", + "version": 4 }, "1b21abcc-4d9f-4b08-a7f5-316f5f94b973": { "rule_name": "Connection to Internal Network via Telnet", - "sha256": "7bb31e4849331d9eb2654a8dcc8e8f7e92932705a68217ddfeaf56def57a7e85", - "version": 2 + "sha256": "2e57557c9b3fcb6208d6c61b61fa0c76f5155884ab6f0ee01c7ddd1527283d13", + "version": 3 }, "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": { "rule_name": "Exploit - Detected - Elastic Endpoint Security", @@ -141,13 +141,13 @@ }, "231876e7-4d1f-4d63-a47c-47dd1acdc1cb": { "rule_name": "Potential Shell via Web Server", - "sha256": "4bfbdc1a0d610ccb336a4816910e33f31ab91509561cfd36f9796e0a3ac975fc", - "version": 4 + "sha256": "0ffb12553181b7aba190ba88d9e29ad6f0e6e41cb0b0c290dc111c8c5ebc463d", + "version": 5 }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "rule_name": "Net command via SYSTEM account", - "sha256": "ea63231f092eb92bb5af6281ae6a75d533362eff9969622f300b444469215456", - "version": 2 + "sha256": "8b67949307e8e23b7ba787b251923997097cd417c90f07c137ff306f8ffeee58", + "version": 3 }, "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { "rule_name": "Exploit - Prevented - Elastic Endpoint Security", @@ -156,23 +156,23 @@ }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "rule_name": "Adobe Hijack Persistence", - "sha256": "05564512fe328ac4a4fcfffe78ae6a65ea0d787a48aceaf575edae53c7f95d0f", - "version": 3 + "sha256": "10a5ff3172ab7265ac7e29a3d64a77992312238f2c35037d3a723bbd26644eac", + "version": 4 }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { "rule_name": "Enumeration of Kernel Modules", - "sha256": "d599196e0f60c0f8dffb2d1fca21196e2c6ddf937531106b6bb8e633bfcc3333", - "version": 2 + "sha256": "3a00bcfef88df687e9f60af981f5e45b7f1d7275c637bf6d346c9a8424ed4aa2", + "version": 3 }, "2f8a1226-5720-437d-9c20-e0029deb6194": { "rule_name": "Attempt to Disable Syslog Service", - "sha256": "c374f6e74954bf81a5cbbe653d457c42b7f23208449b56ac24281d0d6a1e91db", - "version": 2 + "sha256": "a2a3c2eb4e76f3161927f2f3708a7831c0254f05598cf174afe04e173b9b726e", + "version": 3 }, "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { "rule_name": "Bypass UAC via Event Viewer", - "sha256": "92fb6101c53b13f0bf3405f410860ce804f3ba778e06f566431dcda90fe894ba", - "version": 2 + "sha256": "d639e962c341c024aaf84dc2d15fb964b80d6ffeb33446bfc689972ac0e74896", + "version": 3 }, "32923416-763a-4531-bb35-f33b9232ecdb": { "rule_name": "RPC (Remote Procedure Call) to the Internet", @@ -181,8 +181,8 @@ }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { "rule_name": "Suspicious MS Outlook Child Process", - "sha256": "582776dd04e5cd8c0f07883b793d2cb8e663233686cd8261b144e394e5bc00b3", - "version": 3 + "sha256": "20851dcbbe8b5b2d488ec89f42ae0a34d28ca793f91c59c9a746a071063e4fd5", + "version": 4 }, "333de828-8190-4cf5-8d7c-7575846f6fe0": { "rule_name": "AWS IAM User Addition to Group", @@ -196,8 +196,8 @@ }, "35df0dd8-092d-4a83-88c1-5151a804f31b": { "rule_name": "Unusual Parent-Child Relationship", - "sha256": "7ce5606939cea6e45c7659bde7b679c0c33a164a9cecae385eb2a89379b7bcde", - "version": 3 + "sha256": "d6cfb4698aec1b5cf0d032dc63a045734b6d2f64f1512eed04ec2830dae5edc5", + "version": 4 }, "37b211e8-4e2f-440f-86d8-06cc8f158cfa": { "rule_name": "AWS Execution via System Manager", @@ -211,8 +211,8 @@ }, "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { "rule_name": "Network Connection via Certutil", - "sha256": "9d456ed87d910cb6ebb86be154c58f80a7e4a011f8f55ddc2ff451f3efc23fe9", - "version": 2 + "sha256": "2ddb1724d79b9606e5fa60cef5a8ea1b4f61ca4586693d6fa9c74083bbb86402", + "version": 3 }, "39144f38-5284-4f8e-a2ae-e3fd628d90b0": { "rule_name": "AWS EC2 Network Access Control List Creation", @@ -221,8 +221,8 @@ }, "3a86e085-094c-412d-97ff-2439731e59cb": { "rule_name": "Setgid Bit Set via chmod", - "sha256": "10a09743e9baaae69190eabcc1d7f6fc61ff8da5e7ff5a79208b7b25f2c05473", - "version": 2 + "sha256": "6b771c1099456446df103f77a607770b53cd33f3cf21ef60fda8a8a7914961c3", + "version": 3 }, "3ad49c61-7adc-42c1-b788-732eda2f5abf": { "rule_name": "VNC (Virtual Network Computing) to the Internet", @@ -271,8 +271,8 @@ }, "4630d948-40d4-4cef-ac69-4002e29bc3db": { "rule_name": "Adding Hidden File Attribute via Attrib", - "sha256": "9cd83ec78d98435f5388ded75a9b1034f52da57884d1052801099e79f1087072", - "version": 3 + "sha256": "cbd3d898a80fdb3bd7c79c2f6486138e0d9d4577d34256136ccc8282a54d12ea", + "version": 4 }, "46f804f5-b289-43d6-a881-9387cf594f75": { "rule_name": "Unusual Process For a Linux Host", @@ -281,13 +281,13 @@ }, "47f09343-8d1f-4bb5-8bb0-00c9d18f5010": { "rule_name": "Execution via Regsvcs/Regasm", - "sha256": "637246c78b6fa0905bfc47ca942265bc7fc7daa16e544a1dad9aacd0d8932e89", - "version": 2 + "sha256": "cb6f8a29b6e8e22054ad733b4c8d1e4a3203a08cc8333c9c0ced2057dba9e71e", + "version": 3 }, "4b438734-3793-4fda-bd42-ceeada0be8f9": { "rule_name": "Disable Windows Firewall Rules via Netsh", - "sha256": "5b03dfdf92939205720bd9a2a6ba3fcac321ab46278a63cf862a9ca8881623a7", - "version": 3 + "sha256": "7efb0cbeb8fdb7d49f6daeca8b7877ab7472b9bd0046e8e25596320bf7836d50", + "version": 4 }, "523116c0-d89d-4d7c-82c2-39e6845a78ef": { "rule_name": "AWS GuardDuty Detector Deletion", @@ -296,8 +296,8 @@ }, "52aaab7b-b51c-441a-89ce-4387b3aea886": { "rule_name": "Unusual Network Connection via RunDLL32", - "sha256": "f92bcc8271ce1e1082d42f76466838e17a0e94800d8c667f36df7f5dc55a1f92", - "version": 4 + "sha256": "e091babf5f308e98b3f0d883ec8d4d6a7ead789f240e79b6c89b974ba77ac80f", + "version": 5 }, "52afbdc5-db15-485e-bc24-f5707f820c4b": { "rule_name": "Unusual Linux Network Activity", @@ -316,13 +316,13 @@ }, "53a26770-9cbd-40c5-8b57-61d01a325e14": { "rule_name": "Suspicious PDF Reader Child Process", - "sha256": "82ba007857d824bcb38916fca098f15f5bb777191a7403c8e31f860514664d6b", - "version": 2 + "sha256": "ecaccdda66ec525035e0abe4cc0c05cf1ca2bcb9ab42fc9b087d15e6df1af6b5", + "version": 3 }, "55d551c6-333b-4665-ab7e-5d14a59715ce": { "rule_name": "PsExec Network Connection", - "sha256": "b05123353ff4a1d27d4631d4bbc2f16860b755c4c32ec12dd65583f752866f43", - "version": 3 + "sha256": "8906bc996c13a315e04670626ece6862e0fac10a206fe365d567c09c4b0ae50c", + "version": 4 }, "56557cde-d923-4b88-adee-c61b3f3b5dc3": { "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", @@ -341,8 +341,8 @@ }, "581add16-df76-42bb-af8e-c979bfb39a59": { "rule_name": "Deleting Backup Catalogs with Wbadmin", - "sha256": "a2f23de5e7249c0e4e28212eca17fcf83fdbea776f898f3bc5c456d9b80deb43", - "version": 3 + "sha256": "711209a022fc43f31489e05a3dd413ef7c89e4bc058376f1bb54c98896dfaf94", + "version": 4 }, "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": { "rule_name": "AWS CloudTrail Log Created", @@ -351,8 +351,8 @@ }, "5b03c9fb-9945-4d2f-9568-fd690fee3fba": { "rule_name": "Virtual Machine Fingerprinting", - "sha256": "1de8ead775e787c3256447c82655c40866a9513c245d1223939e04cb9f9763cf", - "version": 2 + "sha256": "9dfe20ded6d2881ef9ab368960f6232c28a7c20783b35ab2176cccff4ca8d19c", + "version": 3 }, "5beaebc1-cc13-4bfc-9949-776f9e0dc318": { "rule_name": "AWS WAF Rule or Rule Group Deletion", @@ -361,18 +361,18 @@ }, "610949a1-312f-4e04-bb55-3a79b8c95267": { "rule_name": "Unusual Process Network Connection", - "sha256": "1ad6e642d8c578f97d2569cc471059c7029ec1190e89c9dd0042c5a88906275b", - "version": 3 + "sha256": "e35d9a9c665928aa65a412aacdc9115351f3ce4a6d8c2588629b84e9243c341d", + "version": 4 }, "61c31c14-507f-4627-8c31-072556b89a9c": { "rule_name": "Mknod Process Activity", - "sha256": "64a4c6687e8b28df55161028153804821cace7ea512cbabe778d559283d14a8d", - "version": 3 + "sha256": "87b5626a84518eec3d829cb474cb47532b10bb4a1d0b11d755c3682475d7cc3a", + "version": 4 }, "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { "rule_name": "Network Connection via Signed Binary", - "sha256": "404f0a34bef511d70d8dd11f094e02aa8a3fe938bdfb3d4441c4dbf6ea1a2cd3", - "version": 3 + "sha256": "548c73b1abd270a73ac51e0460895d3836f11ceadc8b19559a65c9618e20a118", + "version": 4 }, "647fc812-7996-4795-8869-9c4ea595fe88": { "rule_name": "Anomalous Process For a Linux Population", @@ -406,8 +406,8 @@ }, "69c251fb-a5d6-4035-b5ec-40438bd829ff": { "rule_name": "Modification of Boot Configuration", - "sha256": "c9771d9c525e750a0017693621b03d3aef6a3ec5773461ed3a1661ab43f85b53", - "version": 2 + "sha256": "228c4a9cc746a7de36dcd5f9b3cc9c86d0b06e7aef98059cecf0b2a0c7ed2c2d", + "version": 3 }, "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": { "rule_name": "AWS IAM Password Recovery Requested", @@ -476,13 +476,13 @@ }, "7a137d76-ce3d-48e2-947d-2747796a78c0": { "rule_name": "Network Sniffing via Tcpdump", - "sha256": "c2c87b8c43abfa894c8e9d4fae2a21a63ad5e6608775215ee4315901207fc51d", - "version": 3 + "sha256": "ade46e96d842d8cbbf57a750750a9608f727e242b08491889ea63a07dffd4ca3", + "version": 4 }, "7bcbb3ac-e533-41ad-a612-d6c3bf666aba": { "rule_name": "Deletion of Bash Command Line History", - "sha256": "90b821385ca30c677f757792c1f20543e852cc3e84161b7c67418e0795598fc8", - "version": 1 + "sha256": "9d890cbfcc12c01039cba5c143d094316e061f0a4d5d3b08165cf2eac4abb643", + "version": 2 }, "7d2c38d7-ede7-4bdf-b140-445906e6c540": { "rule_name": "Tor Activity to the Internet", @@ -501,8 +501,8 @@ }, "81cc58f5-8062-49a2-ba84-5cc4b4d31c40": { "rule_name": "Persistence via Kernel Module Modification", - "sha256": "80125097341af87cd48b9ad11105d466d5956ccc306450a562cfd0eb3ba33e5c", - "version": 3 + "sha256": "7de69f7a4a1f9689fe091d5b70484d4392ad24039b3a80f47d39d322d4719e55", + "version": 4 }, "8623535c-1e17-44e1-aa97-7a0699c3037d": { "rule_name": "AWS EC2 Network Access Control List Deletion", @@ -521,13 +521,13 @@ }, "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { "rule_name": "Command Prompt Network Connection", - "sha256": "84bf6f16be980111319510f8654f6b42ac0a4e73405b2f031c9d5b0633e71014", - "version": 3 + "sha256": "920af03d75efd763b940e822bf4ba93d3f8fd8dde10e116f98e7d459096de622", + "version": 4 }, "8a1b0278-0f9a-487d-96bd-d4833298e87a": { "rule_name": "Setuid Bit Set via chmod", - "sha256": "80d32998b1c5af4f744b6890f5b5d734fd59f208e072929836a823619660d6b5", - "version": 2 + "sha256": "af04c32620120d576ec2c15c7a49bb359b6c1c77490206e947ed86826020fa3a", + "version": 3 }, "8c1bdde8-4204-45c0-9e0c-c85ca3902488": { "rule_name": "RDP (Remote Desktop Protocol) from the Internet", @@ -541,8 +541,8 @@ }, "90169566-2260-4824-b8e4-8615c3b4ed52": { "rule_name": "Hping Process Activity", - "sha256": "a981451a19485a25d6fe0c5a5c6760be1d66decf16a4989d48754e3b7add6ab6", - "version": 3 + "sha256": "983df73edf11df0faa699d91d23031739d932dc4134e634c5c886fd07c6d5a4f", + "version": 4 }, "9055ece6-2689-4224-a0e0-b04881e1f8ad": { "rule_name": "AWS RDS Cluster Deletion", @@ -571,8 +571,8 @@ }, "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": { "rule_name": "Sudoers File Modification", - "sha256": "d11b8d0bb029ec776940640f440bc35573b8d5a83f2306cc9365c36dd2110be7", - "version": 2 + "sha256": "7d7d732303b9069da8939be0085b0b8f1fba316e25e4531e3d078f3ef0bab9c3", + "version": 3 }, "9395fd2c-9947-4472-86ef-4aceb2f7e872": { "rule_name": "AWS EC2 Flow Log Deletion", @@ -586,8 +586,8 @@ }, "97f22dab-84e8-409d-955e-dacd1d31670b": { "rule_name": "Base64 Encoding/Decoding Activity", - "sha256": "feb2b3549a08e130d7b06da043cae62e646e2199b3c31bb71aa7ff059c3a7b6e", - "version": 2 + "sha256": "b83f0cfa5bbb7f02fa48798def53d8b1a57fd8734d0d24e95e8ebe34444e5249", + "version": 3 }, "98fd7407-0bd5-5817-cda0-3fcc33113a56": { "rule_name": "AWS EC2 Snapshot Activity", @@ -611,28 +611,28 @@ }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": { "rule_name": "Microsoft Build Engine Started by a Script Process", - "sha256": "2f83765c4911e648c0be0db638d9cc346965a71141933eac60f40861b9b7cd91", - "version": 2 + "sha256": "d6ebaa11d210241095adfa1bcc998743ab486836f893b87e044a8255829f52fb", + "version": 3 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "a21ff9b2f5134165746bb88ae1aee78d6bd955a455052c829ab18ccd9f06118f", - "version": 2 + "sha256": "2bbb3b9cbeead17b40f9663e52ec3b42f4b1d58dd645962c431d84b7ce149c90", + "version": 3 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { "rule_name": "Microsoft Build Engine Using an Alternate Name", - "sha256": "6734ab6912ee86be6f5eff281217b5f9c95ac51596cd01d2f9359cc3b8de7758", - "version": 2 + "sha256": "c7b27e753ab08dc5bd3cab380b67f4b346279dbeddea2b55aa862747f335e56b", + "version": 3 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { "rule_name": "Microsoft Build Engine Loading Windows Credential Libraries", - "sha256": "9aa85ddacb0b3441dfcb53ec6d5b5c5ce908c558a242c764bd3f44624f8153ee", - "version": 2 + "sha256": "45fff1a065830305c07e41b12e2645e34ba7c10c5512268efd85d2e50ce4f833", + "version": 3 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": { "rule_name": "Microsoft Build Engine Started an Unusual Process", - "sha256": "2c2569ff1e94344e1f975de973207510adf013f3a1d023c86508e8a116014454", - "version": 2 + "sha256": "0aefc28ef5fa42264e4082dd010644052873fc54ae3cb0b7bc3cbf5a882fe345", + "version": 3 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { "rule_name": "Process Injection by the Microsoft Build Engine", @@ -641,8 +641,8 @@ }, "9f9a2a82-93a8-4b1a-8778-1780895626d4": { "rule_name": "File Permission Modification in Writable Directory", - "sha256": "15ed502ec9c70e5b3fa1de7c99ec0877ac1907ece60779a324b8461956093012", - "version": 2 + "sha256": "a615c13125f279c6b25a34d110cf8d84f45e4bbce23e9ec63080952a04342760", + "version": 3 }, "a00681e3-9ed6-447c-ab2c-be648821c622": { "rule_name": "AWS Access Secret in Secrets Manager", @@ -651,13 +651,13 @@ }, "a1329140-8de3-4445-9f87-908fb6d824f4": { "rule_name": "File Deletion via Shred", - "sha256": "4f3f62c5999ec7b6e172437a4f359adc08bb68fc7a83c954c4f019b5d64a8664", - "version": 2 + "sha256": "10ea375a05dd802cd9169b589070582864cac1a66a76de45d14c2b089c25e902", + "version": 3 }, "a4ec1382-4557-452b-89ba-e413b22ed4b8": { "rule_name": "Network Connection via Mshta", - "sha256": "59d713111ca42fcac2769d8939303019253c300d5455524e3fff4446f24282ad", - "version": 3 + "sha256": "233377abf3f67401dc4208d28639241ca34ed38ba30aa4037251b1274fa5bd17", + "version": 4 }, "a60326d7-dca7-4fb7-93eb-1ca03a1febbd": { "rule_name": "AWS IAM Assume Role Policy Update", @@ -666,8 +666,8 @@ }, "a624863f-a70d-417f-a7d2-7a404638d47f": { "rule_name": "Suspicious MS Office Child Process", - "sha256": "63f8ff2b6aafc463ae4759cabe61f70564a50e3d77328cf40916ae99b7ea9813", - "version": 3 + "sha256": "0f44750ec993f9fdde22d2e85e1679352f4d94c946293223c066533697a50f59", + "version": 4 }, "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": { "rule_name": "Web Application Suspicious Activity: POST Request Declined", @@ -676,8 +676,8 @@ }, "a9198571-b135-4a76-b055-e3e5a476fd83": { "rule_name": "Hex Encoding/Decoding Activity", - "sha256": "c22e81459d98bd8fc47e911677c6ee40218253b7ec3bcb2e21c3d7e6116e7d4e", - "version": 2 + "sha256": "d191c76742500aaa9f0d3284ffa0c5fb620768826b7ed5ea0d2eea116d838d86", + "version": 3 }, "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": { "rule_name": "IPSEC NAT Traversal Port Activity", @@ -696,18 +696,18 @@ }, "adb961e0-cb74-42a0-af9e-29fc41f88f5f": { "rule_name": "Netcat Network Activity", - "sha256": "eb3f95d0ec4f799be133ce35a3b5365edbdf780a99a638023ef5aff1f64c5b1e", - "version": 3 + "sha256": "a86bc32201580a304e3177b759ade73e627c671d5e11853a88415f784b18d71b", + "version": 4 }, "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { "rule_name": "Local Scheduled Task Commands", - "sha256": "5850b379eef292ad97ff952faf36cd85e8ce9f9c34e36b3f0efe0b844cde9c8f", - "version": 3 + "sha256": "d6d29ecdfb8d8ac87743712066146346c70d2a2991a00def356c8ed4733871bf", + "version": 4 }, "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { "rule_name": "Network Connection via Compiled HTML File", - "sha256": "397a3304cb369f9f0567541e5bd84323c385ec834cb499a0e67d718f64006f52", - "version": 3 + "sha256": "88b6fdcc1f81a38ae42c2cc4d883604e9f5acd4a58af5f48a0c48e398665b9a4", + "version": 4 }, "b347b919-665f-4aac-b9e8-68369bf2340c": { "rule_name": "Unusual Linux Username", @@ -721,8 +721,8 @@ }, "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { "rule_name": "Volume Shadow Copy Deletion via VssAdmin", - "sha256": "9a89bb4616053a27b9da19b0e039f20b5b06eddb82c0254daa490038e565943f", - "version": 3 + "sha256": "fc61426143133407bddabf689f0b5244aff16def118cbf470929b71174763637", + "version": 4 }, "b719a170-3bdb-4141-b0e3-13e3cf627bfe": { "rule_name": "Attempt to Deactivate Okta Policy", @@ -736,13 +736,13 @@ }, "b86afe07-0d98-4738-b15d-8d7465f95ff5": { "rule_name": "Network Connection via MsXsl", - "sha256": "a6b35cd7c01efd9e3ff5f09556cfeae330c4c59d78c7d467cf32b8c376f93371", - "version": 2 + "sha256": "b82fc0de50c86b935980223c1fd582a618f509e526ba9d363771d0b5601b2628", + "version": 3 }, "b9666521-4742-49ce-9ddc-b8e84c35acae": { "rule_name": "Creation of Hidden Files and Directories", - "sha256": "0032ef35ec0d687bcb474eedb0e01318c6d305c658ec692cf78bfb9d1bf2e1dc", - "version": 1 + "sha256": "c9369962e142eda14a770259206ca03ba72a0d0b907996d25498e4e2ef847796", + "version": 2 }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { "rule_name": "Unusual Windows Network Activity", @@ -771,8 +771,8 @@ }, "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { "rule_name": "Microsoft Build Engine Started by an Office Application", - "sha256": "dd84d55464f543307c27a7f776fafdb99ab36e58ad7a7d5cbe9dbd3bd4c39a33", - "version": 2 + "sha256": "15fd9d9b15627d4a9dd571999362b14fb2e86016cf6e27740af6c1f45f64db96", + "version": 3 }, "c6474c34-4953-447a-903e-9fcb7b6661aa": { "rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", @@ -786,13 +786,13 @@ }, "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": { "rule_name": "Direct Outbound SMB Connection", - "sha256": "f323552f1aa665fbffde188f19226fda514df98d5e174725d61cd0d413ed8130", - "version": 3 + "sha256": "fae4636ddb0a185e2acbb41f8fea2f8510f6cf0ae61bbddd0218c63a74d5483b", + "version": 4 }, "c87fca17-b3a9-4e83-b545-f30746c53920": { "rule_name": "Nmap Process Activity", - "sha256": "b0134afadd79015919a72fb3e6fa0f3994aca735609a71ab4aaa03c89c6ceee4", - "version": 3 + "sha256": "b82bf76e52898dfa29ff4736c2c989d575b0bf9c06fdb8bfcbf1ee737f41ccaf", + "version": 4 }, "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { "rule_name": "Credential Manipulation - Prevented - Elastic Endpoint Security", @@ -816,13 +816,13 @@ }, "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": { "rule_name": "Socat Process Activity", - "sha256": "68d871126791b1040df2c53b6dc057432217be3b4376703b7cb81a2057344720", - "version": 3 + "sha256": "5dfa85cf3d23f692d8b5612ae518fda01ad11c2a9e4b3858f6f2eb79112332ac", + "version": 4 }, "cd66a5af-e34b-4bb0-8931-57d0a043f2ef": { "rule_name": "Kernel Module Removal", - "sha256": "f9fdcf439337f1fe71aa24215d02c09249e9cfb978f217d3edef60d6607d9403", - "version": 2 + "sha256": "db63134024db06c912eac8f9cbb156a98ba56e576abec86baff108edc6a7a10b", + "version": 3 }, "cd89602e-9db0-48e3-9391-ae3bf241acd8": { "rule_name": "Attempt to Deactivate MFA for Okta User Account", @@ -836,8 +836,8 @@ }, "d331bbe2-6db4-4941-80a5-8270db72eb61": { "rule_name": "Clearing Windows Event Logs", - "sha256": "6bf85d1d2f89adc041f3190145f1de20672f190727b302eaaf43268951d5e100", - "version": 3 + "sha256": "1e199885d6b2ee9d5652ae342c7a56130596f14f4207396452c15db2d826c26f", + "version": 4 }, "d49cc73f-7a16-4def-89ce-9fc7127d7820": { "rule_name": "Web Application Suspicious Activity: sqlmap User Agent", @@ -851,13 +851,13 @@ }, "d6450d4e-81c6-46a3-bd94-079886318ed5": { "rule_name": "Strace Process Activity", - "sha256": "9d82b60fa077eab2c9bd133e9a3c4d56e2cf3f1ba86047b23540dc6b837266fb", - "version": 3 + "sha256": "2932086916e97a5920805f062c8461646c61448d36248aa6bf403133c86efa34", + "version": 4 }, "d76b02ef-fc95-4001-9297-01cb7412232f": { "rule_name": "Interactive Terminal Spawned via Python", - "sha256": "6e298f0f3fed486ae6f4eb0a4d93d8deebf1597264ec5ac5ed32c42d8616263a", - "version": 2 + "sha256": "0a50429de3280c10cd206152131fed4f9491b08502c8877352256f7965470a0f", + "version": 3 }, "d7e62693-aab9-4f66-a21a-3d79ecdd603d": { "rule_name": "SMTP on Port 26/TCP", @@ -876,8 +876,8 @@ }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { "rule_name": "Volume Shadow Copy Deletion via WMIC", - "sha256": "64fccc407b6b538dbab612c8a8040476660146645f1940b48a64a324c51e705b", - "version": 3 + "sha256": "4b8ef95da8429452dcf67363672f8a9e6c4e45bc80bd729ad5d3b3e60a550a7c", + "version": 4 }, "dca28dee-c999-400f-b640-50a081cc0fd1": { "rule_name": "Unusual Country For an AWS Command", @@ -886,13 +886,13 @@ }, "debff20a-46bc-4a4d-bae5-5cdd14222795": { "rule_name": "Base16 or Base32 Encoding/Decoding Activity", - "sha256": "5f837c9e27f696b82b77dcb7d2c4a1a92142c2464451fc000104488ed8d65160", - "version": 2 + "sha256": "d3b991ebc8647e62117b27fbc8ed1f9c22a7daddb565daa4d2e617d1c8cf71b6", + "version": 3 }, "df959768-b0c9-4d45-988c-5606a2be8e5a": { "rule_name": "Unusual Process Execution - Temp", - "sha256": "88700a3ed7404230c3fdcfb911bf74ef67178524e736a46f09cd82435b4e825d", - "version": 3 + "sha256": "26f7ffcfddc4a817c1cedd32dc68cef4167749ada87584c1ab790d2b44a41485", + "version": 4 }, "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": { "rule_name": "AWS RDS Cluster Creation", @@ -901,8 +901,8 @@ }, "e19e64ee-130e-4c07-961f-8a339f0b8362": { "rule_name": "Connection to External Network via Telnet", - "sha256": "1bdc0e8f97c88ad7d853ebb1870d959cd48583d54e72572f169a3fb35907e1aa", - "version": 2 + "sha256": "8dddae484d130d6bbcf5b88ba30b257f4ec4b0cf0e3eff8233822488c848ad9f", + "version": 3 }, "e2a67480-3b79-403d-96e3-fdd2992c50ef": { "rule_name": "AWS Management Console Root Login", @@ -936,8 +936,8 @@ }, "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { "rule_name": "Local Service Commands", - "sha256": "09a14045036f6a30948b02a97ace4a3004863642b39f1d965fb7bc175fadff25", - "version": 3 + "sha256": "7f40a97cad0ae6acde9832aff4deb5250d452c2c825f894a138ae9f0d86a4121", + "version": 4 }, "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": { "rule_name": "SSH (Secure Shell) from the Internet", @@ -956,8 +956,8 @@ }, "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": { "rule_name": "Potential Disabling of SELinux", - "sha256": "8f7296c828ca1babc06b6d8f33006f235b006335b8e05dca5f6cd0dec669975f", - "version": 2 + "sha256": "3354f1c679152be687ac4eef73892612b5b488f0cfe4e0e2636dc3dfdfa45b6a", + "version": 3 }, "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": { "rule_name": "AWS RDS Instance/Cluster Stoppage", @@ -971,13 +971,13 @@ }, "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { "rule_name": "Windows Script Executing PowerShell", - "sha256": "681ddd7b3337bb41f2496d94153c346d7e8e4fd2cab289c5c5168e3f5446d549", - "version": 3 + "sha256": "fbb250048e91b7b8df4a0555a9ddc8cf98009dbf2434019bf0e88839983dd332", + "version": 4 }, "f675872f-6d85-40a3-b502-c0d2ef101e92": { "rule_name": "Delete Volume USN Journal with Fsutil", - "sha256": "9fc4f152c5dbe06bbbdf27a4d307abc2da1116b564acc79b30034913e3b12219", - "version": 3 + "sha256": "37d052555eb47692d5dd98ecf41af9de6d21b1526b7047c228a532e021ca04ca", + "version": 4 }, "f772ec8a-e182-483c-91d2-72058f76a44c": { "rule_name": "AWS CloudWatch Alarm Deletion", @@ -991,8 +991,8 @@ }, "fb02b8d3-71ee-4af1-bacd-215d23f17efa": { "rule_name": "Network Connection via Regsvr", - "sha256": "78487cacf86e895d025eabed659c5ffaa0ded038a19808d5d6bb5f70978fb014", - "version": 3 + "sha256": "01a7ea6c1cda22f3edc887d557916a5f27184cbb9c90dd7c09e36f3c68fd59f4", + "version": 4 }, "fbd44836-0d69-4004-a0b4-03c20370c435": { "rule_name": "AWS Configuration Recorder Stopped", @@ -1006,12 +1006,12 @@ }, "fd70c98a-c410-42dc-a2e3-761c71848acf": { "rule_name": "Encoding or Decoding Files via CertUtil", - "sha256": "cd0e189f8420314a834c4916b9685304b8edc4259d275796ee0e06fb7df0338b", - "version": 3 + "sha256": "d650ddaf396c9379540944aa0f084b0ef5802ec62367cb311ac6a4f0dd353d2d", + "version": 4 }, "fd7a6052-58fa-4397-93c3-4795249ccfa2": { "rule_name": "Svchost spawning Cmd", - "sha256": "53659b10280ff1cf084f6f27a95b3eae81c1e9e9e2cf0806e7eb61f14da0fc6d", - "version": 3 + "sha256": "730e186178e67ceed90c1a70820a8ab14290ee86c749c73739fbff617f7da978", + "version": 4 } } \ No newline at end of file diff --git a/rules/linux/credential_access_tcpdump_activity.toml b/rules/linux/credential_access_tcpdump_activity.toml index 607568f61..76dd228f3 100644 --- a/rules/linux/credential_access_tcpdump_activity.toml +++ b/rules/linux/credential_access_tcpdump_activity.toml @@ -17,6 +17,7 @@ false_positives = [ troubleshooting. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml index e94a644a0..b9702f571 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml @@ -10,6 +10,7 @@ description = """ Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic. """ +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index b4c1d444f..6c6dc9250 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -10,6 +10,7 @@ description = """ Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls. """ +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml index bd6427d54..be0146fd0 100644 --- a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml @@ -13,6 +13,7 @@ false_positives = [ filtered by the process executable or username values. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml index 3105abab8..bd64df513 100644 --- a/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml @@ -13,6 +13,7 @@ false_positives = [ filtered by the process executable or username values. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml b/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml index cfff1dcd9..309fd304d 100644 --- a/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml +++ b/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml @@ -10,6 +10,7 @@ description = """ Adversaries may attempt to clear the bash command line history in an attempt to evade detection or forensic investigations. """ +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "lucene" license = "Elastic License" diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml index a0aa5e863..f640c02df 100644 --- a/rules/linux/defense_evasion_disable_selinux_attempt.toml +++ b/rules/linux/defense_evasion_disable_selinux_attempt.toml @@ -11,6 +11,7 @@ Identifies potential attempts to disable Security-Enhanced Linux (SELinux), whic support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities. """ +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index 220c896d2..be00e3948 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -11,6 +11,7 @@ Malware or other files dropped or created on a system by an adversary may leave a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process. """ +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml index 5f3399592..90699c88a 100644 --- a/rules/linux/defense_evasion_file_mod_writable_dir.toml +++ b/rules/linux/defense_evasion_file_mod_writable_dir.toml @@ -16,6 +16,7 @@ false_positives = [ by username. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml index b6b2210e0..44a4b348d 100644 --- a/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml @@ -13,6 +13,7 @@ false_positives = [ filtered by the process executable or username values. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index e5be0fa97..143911149 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -17,6 +17,7 @@ false_positives = [ behavior. These events can be filtered by the process arguments, username, or process name values. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "lucene" license = "Elastic License" diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml index 25d026abf..ab662af6c 100644 --- a/rules/linux/defense_evasion_kernel_module_removal.toml +++ b/rules/linux/defense_evasion_kernel_module_removal.toml @@ -17,6 +17,7 @@ false_positives = [ Note that some Linux distributions are not built to support the removal of modules at all. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index 985e34bc0..46aaa773a 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -17,6 +17,7 @@ false_positives = [ by ordinary users is uncommon. These can be exempted by process name or username. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/discovery_virtual_machine_fingerprinting.toml b/rules/linux/discovery_virtual_machine_fingerprinting.toml index 623504ae8..9bfeba953 100644 --- a/rules/linux/discovery_virtual_machine_fingerprinting.toml +++ b/rules/linux/discovery_virtual_machine_fingerprinting.toml @@ -17,6 +17,7 @@ false_positives = [ process arguments to eliminate potential noise. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/discovery_whoami_commmand.toml b/rules/linux/discovery_whoami_commmand.toml index d2ab5b748..0587912fb 100644 --- a/rules/linux/discovery_whoami_commmand.toml +++ b/rules/linux/discovery_whoami_commmand.toml @@ -16,6 +16,7 @@ false_positives = [ automation tools and frameworks. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/execution_perl_tty_shell.toml b/rules/linux/execution_perl_tty_shell.toml index 39b28c722..bb25dc187 100644 --- a/rules/linux/execution_perl_tty_shell.toml +++ b/rules/linux/execution_perl_tty_shell.toml @@ -10,6 +10,7 @@ description = """ Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host. """ +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index ee4f324de..802525b86 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -10,6 +10,7 @@ description = """ Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host. """ +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml index 58d662ecc..a8ca67f70 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_external.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_external.toml @@ -18,6 +18,7 @@ false_positives = [ suspicious. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/lateral_movement_telnet_network_activity_internal.toml b/rules/linux/lateral_movement_telnet_network_activity_internal.toml index 0a0e4f4ad..3caa809bc 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_internal.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_internal.toml @@ -18,6 +18,7 @@ false_positives = [ suspicious. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/linux_hping_activity.toml b/rules/linux/linux_hping_activity.toml index 6d7cb9f8f..f3b510d5d 100644 --- a/rules/linux/linux_hping_activity.toml +++ b/rules/linux/linux_hping_activity.toml @@ -16,6 +16,7 @@ false_positives = [ uncommon. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/linux_iodine_activity.toml b/rules/linux/linux_iodine_activity.toml index 3dac64d26..62a23b1d7 100644 --- a/rules/linux/linux_iodine_activity.toml +++ b/rules/linux/linux_iodine_activity.toml @@ -16,6 +16,7 @@ false_positives = [ uncommon. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/linux_mknod_activity.toml b/rules/linux/linux_mknod_activity.toml index 4ace49600..c0c47cf5a 100644 --- a/rules/linux/linux_mknod_activity.toml +++ b/rules/linux/linux_mknod_activity.toml @@ -16,6 +16,7 @@ false_positives = [ scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/linux_netcat_network_connection.toml b/rules/linux/linux_netcat_network_connection.toml index aacbb0123..45f954019 100644 --- a/rules/linux/linux_netcat_network_connection.toml +++ b/rules/linux/linux_netcat_network_connection.toml @@ -18,6 +18,7 @@ false_positives = [ originate from scripts, automation tools, and frameworks. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/linux_nmap_activity.toml b/rules/linux/linux_nmap_activity.toml index 9f060db99..a232a8ba7 100644 --- a/rules/linux/linux_nmap_activity.toml +++ b/rules/linux/linux_nmap_activity.toml @@ -18,6 +18,7 @@ false_positives = [ uncommon. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/linux_nping_activity.toml b/rules/linux/linux_nping_activity.toml index 233b68c76..739bd631e 100644 --- a/rules/linux/linux_nping_activity.toml +++ b/rules/linux/linux_nping_activity.toml @@ -16,6 +16,7 @@ false_positives = [ is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/linux_process_started_in_temp_directory.toml b/rules/linux/linux_process_started_in_temp_directory.toml index 85450b53c..48e5b6940 100644 --- a/rules/linux/linux_process_started_in_temp_directory.toml +++ b/rules/linux/linux_process_started_in_temp_directory.toml @@ -13,6 +13,7 @@ false_positives = [ username. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/linux_socat_activity.toml b/rules/linux/linux_socat_activity.toml index 14393087c..a1543f2df 100644 --- a/rules/linux/linux_socat_activity.toml +++ b/rules/linux/linux_socat_activity.toml @@ -17,6 +17,7 @@ false_positives = [ more likely to be suspicious. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/linux_strace_activity.toml b/rules/linux/linux_strace_activity.toml index 974a65f68..ba5096dd0 100644 --- a/rules/linux/linux_strace_activity.toml +++ b/rules/linux/linux_strace_activity.toml @@ -16,6 +16,7 @@ false_positives = [ originate from developers or SREs engaged in debugging or system call tracing. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/persistence_kernel_module_activity.toml b/rules/linux/persistence_kernel_module_activity.toml index 1c9d3b3ca..ee5dc35f2 100644 --- a/rules/linux/persistence_kernel_module_activity.toml +++ b/rules/linux/persistence_kernel_module_activity.toml @@ -13,6 +13,7 @@ false_positives = [ programs by ordinary users is uncommon. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/persistence_shell_activity_by_web_server.toml b/rules/linux/persistence_shell_activity_by_web_server.toml index 53b5c2d69..3b1e6a8f2 100644 --- a/rules/linux/persistence_shell_activity_by_web_server.toml +++ b/rules/linux/persistence_shell_activity_by_web_server.toml @@ -13,6 +13,7 @@ false_positives = [ behavior. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml b/rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml index 0c5669878..15bba2569 100644 --- a/rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml +++ b/rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml @@ -12,6 +12,7 @@ group. An adversary can take advantage of this to either do a shell escape or ex with the setgid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future. """ +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "lucene" license = "Elastic License" diff --git a/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml b/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml index 9d5baa469..63a75fc6e 100644 --- a/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml +++ b/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml @@ -12,6 +12,7 @@ user. An adversary can take advantage of this to either do a shell escape or exp with the setuid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future. """ +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "lucene" license = "Elastic License" diff --git a/rules/linux/privilege_escalation_sudoers_file_mod.toml b/rules/linux/privilege_escalation_sudoers_file_mod.toml index aa9b8902d..f8ef3f43d 100644 --- a/rules/linux/privilege_escalation_sudoers_file_mod.toml +++ b/rules/linux/privilege_escalation_sudoers_file_mod.toml @@ -10,6 +10,7 @@ description = """ A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges. """ +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/command_and_control_certutil_network_connection.toml b/rules/windows/command_and_control_certutil_network_connection.toml index 62739e728..cc11a7b5f 100644 --- a/rules/windows/command_and_control_certutil_network_connection.toml +++ b/rules/windows/command_and_control_certutil_network_connection.toml @@ -10,6 +10,7 @@ description = """ Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml index 623804d8c..fc238bbbc 100755 --- a/rules/windows/credential_access_credential_dumping_msbuild.toml +++ b/rules/windows/credential_access_credential_dumping_msbuild.toml @@ -11,6 +11,7 @@ An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically lin credential management. This technique is sometimes used for credential dumping. """ false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index bd4aa3b63..1ace7f49b 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -7,6 +7,7 @@ updated_date = "2020/08/03" [rule] author = ["Elastic"] description = "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection." +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index f32874a30..721c2a781 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -10,6 +10,7 @@ description = """ Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml index 106410156..408fdbb20 100644 --- a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -10,6 +10,7 @@ description = """ Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml index b338212aa..cdd94251a 100644 --- a/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml @@ -10,6 +10,7 @@ description = """ Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index 23dfc9adf..e1606f880 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -10,6 +10,7 @@ description = """ Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml b/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml index 8bf4dc7f1..12ab8c956 100644 --- a/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml +++ b/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml @@ -11,6 +11,7 @@ Identifies the use of certutil.exe to encode or decode data. CertUtil is a nativ Certificate Services. CertUtil is often abused by attackers to encode or decode base64 data for stealthier command and control or exfiltration. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index 196804c6f..13f1b1100 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -16,6 +16,7 @@ false_positives = [ this program to be started by an Office application like Word or Excel. """, ] +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index 2d9d798d5..07ca634f7 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -11,6 +11,7 @@ An instance of MSBuild, the Microsoft Build Engine, was started by a script or t behavior is unusual and is sometimes used by malicious payloads. """ false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index df94b2635..a1068c109 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -11,6 +11,7 @@ An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or t Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads. """ false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index 150a056a9..7d02df3c7 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -11,6 +11,7 @@ An instance of MSBuild, the Microsoft Build Engine, was started after being rena indicate an attempt to run unnoticed or undetected. """ false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index 54bcef148..6d907bde0 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -16,6 +16,7 @@ false_positives = [ triggers this rule it can be exempted by process, user or host name. """, ] +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml index 42728cb04..58188227d 100644 --- a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +++ b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml @@ -11,6 +11,7 @@ Binaries signed with trusted digital certificates can execute on Windows systems validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_modification_of_boot_config.toml b/rules/windows/defense_evasion_modification_of_boot_config.toml index 7eefd48bc..50a299ba5 100644 --- a/rules/windows/defense_evasion_modification_of_boot_config.toml +++ b/rules/windows/defense_evasion_modification_of_boot_config.toml @@ -10,6 +10,7 @@ description = """ Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml index d65cd5d97..47eaa271e 100644 --- a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml +++ b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml @@ -10,6 +10,7 @@ description = """ Identifies use of vssadmin.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml index ad4ec6d27..faa97c024 100644 --- a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml @@ -10,6 +10,7 @@ description = """ Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/discovery_net_command_system_account.toml b/rules/windows/discovery_net_command_system_account.toml index 609a07068..2cb2c89f9 100644 --- a/rules/windows/discovery_net_command_system_account.toml +++ b/rules/windows/discovery_net_command_system_account.toml @@ -10,6 +10,7 @@ description = """ Identifies the SYSTEM account using the Net utility. The Net utility is a component of the Windows operating system. It is used in command line operations for control of users, groups, services, and network connections. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml index df1f95fe5..e551aa0cc 100644 --- a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -16,6 +16,7 @@ false_positives = [ environment for network connections being made from the command prompt to determine any abnormal use of this tool. """, ] +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_command_shell_started_by_powershell.toml b/rules/windows/execution_command_shell_started_by_powershell.toml index 969c20679..27ad78858 100644 --- a/rules/windows/execution_command_shell_started_by_powershell.toml +++ b/rules/windows/execution_command_shell_started_by_powershell.toml @@ -7,6 +7,7 @@ updated_date = "2020/08/03" [rule] author = ["Elastic"] description = "Identifies a suspicious parent child process relationship with cmd.exe descending from PowerShell.exe." +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index 3d2d373ef..85ba00ffc 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -7,6 +7,7 @@ updated_date = "2020/08/03" [rule] author = ["Elastic"] description = "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe" +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index 9df1126fa..a903eb70f 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -11,6 +11,7 @@ Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTM malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe). """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_local_service_commands.toml b/rules/windows/execution_local_service_commands.toml index e6a88aba5..3fb3f90ad 100644 --- a/rules/windows/execution_local_service_commands.toml +++ b/rules/windows/execution_local_service_commands.toml @@ -10,6 +10,7 @@ description = """ Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_msbuild_making_network_connections.toml b/rules/windows/execution_msbuild_making_network_connections.toml index 79da5074f..6de95b101 100644 --- a/rules/windows/execution_msbuild_making_network_connections.toml +++ b/rules/windows/execution_msbuild_making_network_connections.toml @@ -10,6 +10,7 @@ description = """ Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_mshta_making_network_connections.toml b/rules/windows/execution_mshta_making_network_connections.toml index ef530f61a..974082341 100644 --- a/rules/windows/execution_mshta_making_network_connections.toml +++ b/rules/windows/execution_mshta_making_network_connections.toml @@ -10,6 +10,7 @@ description = """ Identifies mshta.exe making a network connection. This may indicate adversarial activity as mshta.exe is often leveraged by adversaries to execute malicious scripts and evade detection. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_msxsl_network.toml b/rules/windows/execution_msxsl_network.toml index ff8749acb..c74889caf 100644 --- a/rules/windows/execution_msxsl_network.toml +++ b/rules/windows/execution_msxsl_network.toml @@ -10,6 +10,7 @@ description = """ Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged by adversaries to execute malicious scripts and evade detection. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_psexec_lateral_movement_command.toml b/rules/windows/execution_psexec_lateral_movement_command.toml index ea287db7c..48f196a00 100644 --- a/rules/windows/execution_psexec_lateral_movement_command.toml +++ b/rules/windows/execution_psexec_lateral_movement_command.toml @@ -16,6 +16,7 @@ false_positives = [ environment to determine the amount of noise to expect from this tool. """, ] +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index a0f0eee90..ff3b789f1 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -16,6 +16,7 @@ false_positives = [ is unusual. """, ] +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_script_executing_powershell.toml b/rules/windows/execution_script_executing_powershell.toml index ac6ddc50a..4cfef855c 100644 --- a/rules/windows/execution_script_executing_powershell.toml +++ b/rules/windows/execution_script_executing_powershell.toml @@ -10,6 +10,7 @@ description = """ Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_suspicious_ms_office_child_process.toml b/rules/windows/execution_suspicious_ms_office_child_process.toml index c57995091..a348bf964 100644 --- a/rules/windows/execution_suspicious_ms_office_child_process.toml +++ b/rules/windows/execution_suspicious_ms_office_child_process.toml @@ -11,6 +11,7 @@ Identifies suspicious child processes of frequently targeted Microsoft Office ap These child processes are often launched during exploitation of Office applications or from documents with malicious macros. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_suspicious_ms_outlook_child_process.toml b/rules/windows/execution_suspicious_ms_outlook_child_process.toml index 692ca7f69..f5d90dd65 100644 --- a/rules/windows/execution_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/execution_suspicious_ms_outlook_child_process.toml @@ -10,6 +10,7 @@ description = """ Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index d04237399..98c63fabf 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -10,6 +10,7 @@ description = """ Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_unusual_network_connection_via_rundll32.toml b/rules/windows/execution_unusual_network_connection_via_rundll32.toml index 91608c47c..ada1790ae 100644 --- a/rules/windows/execution_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/execution_unusual_network_connection_via_rundll32.toml @@ -10,6 +10,7 @@ description = """ Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial activity and may identify malicious DLLs. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_unusual_process_network_connection.toml b/rules/windows/execution_unusual_process_network_connection.toml index 81cd7e399..ebb9ce696 100644 --- a/rules/windows/execution_unusual_process_network_connection.toml +++ b/rules/windows/execution_unusual_process_network_connection.toml @@ -10,6 +10,7 @@ description = """ Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_via_net_com_assemblies.toml b/rules/windows/execution_via_net_com_assemblies.toml index 7de84f8a6..71979f871 100644 --- a/rules/windows/execution_via_net_com_assemblies.toml +++ b/rules/windows/execution_via_net_com_assemblies.toml @@ -11,6 +11,7 @@ RegSvcs.exe and RegAsm.exe are Windows command line utilities that are used to r (COM) assemblies. Adversaries can use RegSvcs.exe and RegAsm.exe to proxy execution of code through a trusted Windows utility. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml index fb36d4970..70de1a68c 100644 --- a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml +++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml @@ -12,6 +12,7 @@ over Server Message Block (SMB), which communicates between hosts using port 445 connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index f05ec7a48..1daa6b374 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -7,6 +7,7 @@ updated_date = "2020/08/03" [rule] author = ["Elastic"] description = "Detects writing executable files that will be automatically launched by Adobe on launch." +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/persistence_local_scheduled_task_commands.toml b/rules/windows/persistence_local_scheduled_task_commands.toml index 72493963c..0b1df15f9 100644 --- a/rules/windows/persistence_local_scheduled_task_commands.toml +++ b/rules/windows/persistence_local_scheduled_task_commands.toml @@ -8,6 +8,7 @@ updated_date = "2020/08/03" author = ["Elastic"] description = "A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges." false_positives = ["Legitimate scheduled tasks may be created during installation of new software."] +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index ad88e5ee8..743533a49 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -10,6 +10,7 @@ description = """ Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index 71ff7a0b9..159df5af5 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -10,6 +10,7 @@ description = """ Identifies attempts to create new local users. This is sometimes done by attackers to increase access to a system or domain. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index 9fb282690..59659e31b 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -10,6 +10,7 @@ description = """ Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index 9e56cdfc9..57dcd66cd 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -10,6 +10,7 @@ description = """ Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License"