From be085368809b61682464c581ae3108d3a247a3fa Mon Sep 17 00:00:00 2001 From: Justin Ibarra Date: Fri, 21 Aug 2020 12:23:43 -0500 Subject: [PATCH 1/2] Increase lookback for endpoint rules (#200) --- rules/linux/credential_access_tcpdump_activity.toml | 1 + ...defense_evasion_attempt_to_disable_iptables_or_firewall.toml | 2 ++ .../defense_evasion_attempt_to_disable_syslog_service.toml | 1 + ..._evasion_base16_or_base32_encoding_or_decoding_activity.toml | 1 + .../defense_evasion_base64_encoding_or_decoding_activity.toml | 1 + .../defense_evasion_deletion_of_bash_command_line_history.toml | 1 + rules/linux/defense_evasion_disable_selinux_attempt.toml | 1 + rules/linux/defense_evasion_file_deletion_via_shred.toml | 1 + rules/linux/defense_evasion_file_mod_writable_dir.toml | 1 + .../defense_evasion_hex_encoding_or_decoding_activity.toml | 2 ++ rules/linux/defense_evasion_hidden_file_dir_tmp.toml | 2 ++ rules/linux/defense_evasion_kernel_module_removal.toml | 2 ++ rules/linux/discovery_kernel_module_enumeration.toml | 1 + rules/linux/discovery_virtual_machine_fingerprinting.toml | 2 ++ rules/linux/discovery_whoami_commmand.toml | 1 + rules/linux/execution_perl_tty_shell.toml | 1 + rules/linux/execution_python_tty_shell.toml | 1 + .../lateral_movement_telnet_network_activity_external.toml | 1 + .../lateral_movement_telnet_network_activity_internal.toml | 1 + rules/linux/linux_hping_activity.toml | 1 + rules/linux/linux_iodine_activity.toml | 1 + rules/linux/linux_mknod_activity.toml | 1 + rules/linux/linux_netcat_network_connection.toml | 1 + rules/linux/linux_nmap_activity.toml | 1 + rules/linux/linux_nping_activity.toml | 1 + rules/linux/linux_process_started_in_temp_directory.toml | 1 + rules/linux/linux_socat_activity.toml | 1 + rules/linux/linux_strace_activity.toml | 1 + rules/linux/persistence_kernel_module_activity.toml | 1 + rules/linux/persistence_shell_activity_by_web_server.toml | 1 + rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml | 1 + rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml | 1 + rules/linux/privilege_escalation_sudoers_file_mod.toml | 1 + .../command_and_control_certutil_network_connection.toml | 1 + rules/windows/credential_access_credential_dumping_msbuild.toml | 1 + ...ion_adding_the_hidden_file_attribute_with_via_attribexe.toml | 1 + rules/windows/defense_evasion_clearing_windows_event_logs.toml | 1 + .../defense_evasion_delete_volume_usn_journal_with_fsutil.toml | 1 + .../defense_evasion_deleting_backup_catalogs_with_wbadmin.toml | 1 + ...fense_evasion_disable_windows_firewall_rules_with_netsh.toml | 1 + ...defense_evasion_encoding_or_decoding_files_via_certutil.toml | 1 + ...defense_evasion_execution_msbuild_started_by_office_app.toml | 1 + .../defense_evasion_execution_msbuild_started_by_script.toml | 1 + ...nse_evasion_execution_msbuild_started_by_system_process.toml | 1 + .../defense_evasion_execution_msbuild_started_renamed.toml | 1 + ...efense_evasion_execution_msbuild_started_unusal_process.toml | 2 ++ .../defense_evasion_misc_lolbin_connecting_to_the_internet.toml | 1 + rules/windows/defense_evasion_modification_of_boot_config.toml | 1 + ...efense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml | 1 + .../defense_evasion_volume_shadow_copy_deletion_via_wmic.toml | 1 + rules/windows/discovery_net_command_system_account.toml | 1 + .../execution_command_prompt_connecting_to_the_internet.toml | 1 + .../windows/execution_command_shell_started_by_powershell.toml | 1 + rules/windows/execution_command_shell_started_by_svchost.toml | 1 + ...html_help_executable_program_connecting_to_the_internet.toml | 1 + rules/windows/execution_local_service_commands.toml | 1 + rules/windows/execution_msbuild_making_network_connections.toml | 1 + rules/windows/execution_mshta_making_network_connections.toml | 1 + rules/windows/execution_msxsl_network.toml | 1 + rules/windows/execution_psexec_lateral_movement_command.toml | 1 + ...tion_register_server_program_connecting_to_the_internet.toml | 1 + rules/windows/execution_script_executing_powershell.toml | 1 + rules/windows/execution_suspicious_ms_office_child_process.toml | 1 + .../windows/execution_suspicious_ms_outlook_child_process.toml | 1 + rules/windows/execution_suspicious_pdf_reader.toml | 1 + .../execution_unusual_network_connection_via_rundll32.toml | 1 + rules/windows/execution_unusual_process_network_connection.toml | 1 + rules/windows/execution_via_net_com_assemblies.toml | 1 + .../lateral_movement_direct_outbound_smb_connection.toml | 1 + rules/windows/persistence_adobe_hijack_persistence.toml | 1 + rules/windows/persistence_local_scheduled_task_commands.toml | 1 + rules/windows/persistence_system_shells_via_services.toml | 1 + rules/windows/persistence_user_account_creation.toml | 1 + rules/windows/privilege_escalation_uac_bypass_event_viewer.toml | 1 + .../privilege_escalation_unusual_parentchild_relationship.toml | 1 + 75 files changed, 81 insertions(+) diff --git a/rules/linux/credential_access_tcpdump_activity.toml b/rules/linux/credential_access_tcpdump_activity.toml index 7145f748e..641badbed 100644 --- a/rules/linux/credential_access_tcpdump_activity.toml +++ b/rules/linux/credential_access_tcpdump_activity.toml @@ -17,6 +17,7 @@ false_positives = [ troubleshooting. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml index 038ae74a7..001a2b786 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml @@ -10,6 +10,7 @@ description = """ Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic. """ +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" @@ -43,3 +44,4 @@ reference = "https://attack.mitre.org/techniques/T1089/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index c941316fb..4061669c6 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -10,6 +10,7 @@ description = """ Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls. """ +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml index c6e16b4ea..63c71c427 100644 --- a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml @@ -13,6 +13,7 @@ false_positives = [ filtered by the process executable or username values. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml index 1d5fee6c1..299038e0a 100644 --- a/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml @@ -13,6 +13,7 @@ false_positives = [ filtered by the process executable or username values. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml b/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml index 45ee70cca..c9cf4b34c 100644 --- a/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml +++ b/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml @@ -10,6 +10,7 @@ description = """ Adversaries may attempt to clear the bash command line history in an attempt to evade detection or forensic investigations. """ +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "lucene" license = "Elastic License" diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml index 5137a0630..59f30afaa 100644 --- a/rules/linux/defense_evasion_disable_selinux_attempt.toml +++ b/rules/linux/defense_evasion_disable_selinux_attempt.toml @@ -11,6 +11,7 @@ Identifies potential attempts to disable Security-Enhanced Linux (SELinux), whic support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities. """ +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index 7f251f849..cf0b424b5 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -11,6 +11,7 @@ Malware or other files dropped or created on a system by an adversary may leave a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process. """ +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml index aca3b6db1..36392d8d8 100644 --- a/rules/linux/defense_evasion_file_mod_writable_dir.toml +++ b/rules/linux/defense_evasion_file_mod_writable_dir.toml @@ -16,6 +16,7 @@ false_positives = [ by username. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml index 3b939cd2c..3566d4ade 100644 --- a/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml @@ -13,6 +13,7 @@ false_positives = [ filtered by the process executable or username values. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" @@ -52,3 +53,4 @@ reference = "https://attack.mitre.org/techniques/T1027/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index 54fa8b457..919f136bf 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -17,6 +17,7 @@ false_positives = [ behavior. These events can be filtered by the process arguments, username, or process name values. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "lucene" license = "Elastic License" @@ -60,3 +61,4 @@ reference = "https://attack.mitre.org/techniques/T1158/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml index 8bb2d8807..6fe2bd48b 100644 --- a/rules/linux/defense_evasion_kernel_module_removal.toml +++ b/rules/linux/defense_evasion_kernel_module_removal.toml @@ -17,6 +17,7 @@ false_positives = [ Note that some Linux distributions are not built to support the removal of modules at all. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" @@ -58,3 +59,4 @@ reference = "https://attack.mitre.org/techniques/T1215/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index fd4e0000d..2133934a0 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -17,6 +17,7 @@ false_positives = [ by ordinary users is uncommon. These can be exempted by process name or username. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/discovery_virtual_machine_fingerprinting.toml b/rules/linux/discovery_virtual_machine_fingerprinting.toml index 0e109aeed..da302d63b 100644 --- a/rules/linux/discovery_virtual_machine_fingerprinting.toml +++ b/rules/linux/discovery_virtual_machine_fingerprinting.toml @@ -17,6 +17,7 @@ false_positives = [ process arguments to eliminate potential noise. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" @@ -50,3 +51,4 @@ reference = "https://attack.mitre.org/techniques/T1082/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_whoami_commmand.toml b/rules/linux/discovery_whoami_commmand.toml index 5ee71eb16..a64741cf2 100644 --- a/rules/linux/discovery_whoami_commmand.toml +++ b/rules/linux/discovery_whoami_commmand.toml @@ -16,6 +16,7 @@ false_positives = [ automation tools and frameworks. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/execution_perl_tty_shell.toml b/rules/linux/execution_perl_tty_shell.toml index cfb130baa..ce4897a6f 100644 --- a/rules/linux/execution_perl_tty_shell.toml +++ b/rules/linux/execution_perl_tty_shell.toml @@ -10,6 +10,7 @@ description = """ Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host. """ +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index 4797701bd..be95fae71 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -10,6 +10,7 @@ description = """ Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host. """ +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml index acf4ca0f7..e2080825b 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_external.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_external.toml @@ -18,6 +18,7 @@ false_positives = [ suspicious. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/lateral_movement_telnet_network_activity_internal.toml b/rules/linux/lateral_movement_telnet_network_activity_internal.toml index a3d5b28a3..5c4e36801 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_internal.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_internal.toml @@ -18,6 +18,7 @@ false_positives = [ suspicious. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/linux_hping_activity.toml b/rules/linux/linux_hping_activity.toml index 02fc27d21..d95fb01ab 100644 --- a/rules/linux/linux_hping_activity.toml +++ b/rules/linux/linux_hping_activity.toml @@ -16,6 +16,7 @@ false_positives = [ uncommon. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/linux_iodine_activity.toml b/rules/linux/linux_iodine_activity.toml index 74333785a..fe00166b0 100644 --- a/rules/linux/linux_iodine_activity.toml +++ b/rules/linux/linux_iodine_activity.toml @@ -16,6 +16,7 @@ false_positives = [ uncommon. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/linux_mknod_activity.toml b/rules/linux/linux_mknod_activity.toml index fcd61dd3e..ed5a73a4f 100644 --- a/rules/linux/linux_mknod_activity.toml +++ b/rules/linux/linux_mknod_activity.toml @@ -16,6 +16,7 @@ false_positives = [ scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/linux_netcat_network_connection.toml b/rules/linux/linux_netcat_network_connection.toml index 9b15f116e..3371ad042 100644 --- a/rules/linux/linux_netcat_network_connection.toml +++ b/rules/linux/linux_netcat_network_connection.toml @@ -18,6 +18,7 @@ false_positives = [ originate from scripts, automation tools, and frameworks. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/linux_nmap_activity.toml b/rules/linux/linux_nmap_activity.toml index 6d87a3da2..e28f6618f 100644 --- a/rules/linux/linux_nmap_activity.toml +++ b/rules/linux/linux_nmap_activity.toml @@ -18,6 +18,7 @@ false_positives = [ uncommon. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/linux_nping_activity.toml b/rules/linux/linux_nping_activity.toml index f5e8f9cad..78fd86a30 100644 --- a/rules/linux/linux_nping_activity.toml +++ b/rules/linux/linux_nping_activity.toml @@ -16,6 +16,7 @@ false_positives = [ is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/linux_process_started_in_temp_directory.toml b/rules/linux/linux_process_started_in_temp_directory.toml index 2d81696cb..25ab4238a 100644 --- a/rules/linux/linux_process_started_in_temp_directory.toml +++ b/rules/linux/linux_process_started_in_temp_directory.toml @@ -13,6 +13,7 @@ false_positives = [ username. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/linux_socat_activity.toml b/rules/linux/linux_socat_activity.toml index f5211e6f6..8daa896f4 100644 --- a/rules/linux/linux_socat_activity.toml +++ b/rules/linux/linux_socat_activity.toml @@ -17,6 +17,7 @@ false_positives = [ more likely to be suspicious. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/linux_strace_activity.toml b/rules/linux/linux_strace_activity.toml index 6eeb921b8..f8a29eed5 100644 --- a/rules/linux/linux_strace_activity.toml +++ b/rules/linux/linux_strace_activity.toml @@ -16,6 +16,7 @@ false_positives = [ originate from developers or SREs engaged in debugging or system call tracing. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/persistence_kernel_module_activity.toml b/rules/linux/persistence_kernel_module_activity.toml index d56fe31a4..cd765990c 100644 --- a/rules/linux/persistence_kernel_module_activity.toml +++ b/rules/linux/persistence_kernel_module_activity.toml @@ -13,6 +13,7 @@ false_positives = [ programs by ordinary users is uncommon. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/persistence_shell_activity_by_web_server.toml b/rules/linux/persistence_shell_activity_by_web_server.toml index 4f1b3756f..3507e3c42 100644 --- a/rules/linux/persistence_shell_activity_by_web_server.toml +++ b/rules/linux/persistence_shell_activity_by_web_server.toml @@ -13,6 +13,7 @@ false_positives = [ behavior. """, ] +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml b/rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml index 630627157..40bed08b3 100644 --- a/rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml +++ b/rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml @@ -12,6 +12,7 @@ group. An adversary can take advantage of this to either do a shell escape or ex with the setgid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future. """ +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "lucene" license = "Elastic License" diff --git a/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml b/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml index e22b942df..a6886db79 100644 --- a/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml +++ b/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml @@ -12,6 +12,7 @@ user. An adversary can take advantage of this to either do a shell escape or exp with the setuid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future. """ +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "lucene" license = "Elastic License" diff --git a/rules/linux/privilege_escalation_sudoers_file_mod.toml b/rules/linux/privilege_escalation_sudoers_file_mod.toml index c8dc10e18..61a1bc155 100644 --- a/rules/linux/privilege_escalation_sudoers_file_mod.toml +++ b/rules/linux/privilege_escalation_sudoers_file_mod.toml @@ -10,6 +10,7 @@ description = """ A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges. """ +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/command_and_control_certutil_network_connection.toml b/rules/windows/command_and_control_certutil_network_connection.toml index abbca7e7e..20975fd4a 100644 --- a/rules/windows/command_and_control_certutil_network_connection.toml +++ b/rules/windows/command_and_control_certutil_network_connection.toml @@ -10,6 +10,7 @@ description = """ Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml index def097060..1a4b117f9 100755 --- a/rules/windows/credential_access_credential_dumping_msbuild.toml +++ b/rules/windows/credential_access_credential_dumping_msbuild.toml @@ -11,6 +11,7 @@ An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically lin credential management. This technique is sometimes used for credential dumping. """ false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index b203399ff..6ae5affce 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -7,6 +7,7 @@ updated_date = "2020/08/03" [rule] author = ["Elastic"] description = "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection." +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index b65cc902d..5b5461060 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -10,6 +10,7 @@ description = """ Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml index 42a5aefd0..3bd794f2d 100644 --- a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -10,6 +10,7 @@ description = """ Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml index 6b5c50ce4..dffe1351e 100644 --- a/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml @@ -10,6 +10,7 @@ description = """ Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index ab02cffaa..dc2d0d586 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -10,6 +10,7 @@ description = """ Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml b/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml index 3e2d67d05..e02d86a92 100644 --- a/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml +++ b/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml @@ -11,6 +11,7 @@ Identifies the use of certutil.exe to encode or decode data. CertUtil is a nativ Certificate Services. CertUtil is often abused by attackers to encode or decode base64 data for stealthier command and control or exfiltration. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index 9d0d6dfc3..301b006e4 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -16,6 +16,7 @@ false_positives = [ this program to be started by an Office application like Word or Excel. """, ] +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index 673435c93..019ac3de0 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -11,6 +11,7 @@ An instance of MSBuild, the Microsoft Build Engine, was started by a script or t behavior is unusual and is sometimes used by malicious payloads. """ false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index 8d4a0866a..fa3b4a0cf 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -11,6 +11,7 @@ An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or t Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads. """ false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index c13272014..215b3d8c4 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -11,6 +11,7 @@ An instance of MSBuild, the Microsoft Build Engine, was started after being rena indicate an attempt to run unnoticed or undetected. """ false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index d4fe4fbf4..aa525c3fe 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -16,6 +16,7 @@ false_positives = [ triggers this rule it can be exempted by process, user or host name. """, ] +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" @@ -45,3 +46,4 @@ reference = "https://attack.mitre.org/techniques/T1500/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml index a6fa2e30f..968850fbe 100644 --- a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +++ b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml @@ -11,6 +11,7 @@ Binaries signed with trusted digital certificates can execute on Windows systems validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_modification_of_boot_config.toml b/rules/windows/defense_evasion_modification_of_boot_config.toml index ef4724d79..f5a22de94 100644 --- a/rules/windows/defense_evasion_modification_of_boot_config.toml +++ b/rules/windows/defense_evasion_modification_of_boot_config.toml @@ -10,6 +10,7 @@ description = """ Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml index f6f8267fa..b446f2461 100644 --- a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml +++ b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml @@ -10,6 +10,7 @@ description = """ Identifies use of vssadmin.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml index d97a60dd5..29e0e4271 100644 --- a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml @@ -10,6 +10,7 @@ description = """ Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/discovery_net_command_system_account.toml b/rules/windows/discovery_net_command_system_account.toml index dee53f544..5e8aa8032 100644 --- a/rules/windows/discovery_net_command_system_account.toml +++ b/rules/windows/discovery_net_command_system_account.toml @@ -10,6 +10,7 @@ description = """ Identifies the SYSTEM account using the Net utility. The Net utility is a component of the Windows operating system. It is used in command line operations for control of users, groups, services, and network connections. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml index 2dece8ce1..9048ab0d1 100644 --- a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -16,6 +16,7 @@ false_positives = [ environment for network connections being made from the command prompt to determine any abnormal use of this tool. """, ] +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_command_shell_started_by_powershell.toml b/rules/windows/execution_command_shell_started_by_powershell.toml index 9226f2098..602932566 100644 --- a/rules/windows/execution_command_shell_started_by_powershell.toml +++ b/rules/windows/execution_command_shell_started_by_powershell.toml @@ -7,6 +7,7 @@ updated_date = "2020/08/03" [rule] author = ["Elastic"] description = "Identifies a suspicious parent child process relationship with cmd.exe descending from PowerShell.exe." +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index cda2b79d9..3f93e237f 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -7,6 +7,7 @@ updated_date = "2020/08/03" [rule] author = ["Elastic"] description = "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe" +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index 6219becb3..6d9dbc9e1 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -11,6 +11,7 @@ Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTM malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe). """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_local_service_commands.toml b/rules/windows/execution_local_service_commands.toml index 484c02d1c..5b85344e1 100644 --- a/rules/windows/execution_local_service_commands.toml +++ b/rules/windows/execution_local_service_commands.toml @@ -10,6 +10,7 @@ description = """ Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_msbuild_making_network_connections.toml b/rules/windows/execution_msbuild_making_network_connections.toml index bc7d549b3..9f3090506 100644 --- a/rules/windows/execution_msbuild_making_network_connections.toml +++ b/rules/windows/execution_msbuild_making_network_connections.toml @@ -10,6 +10,7 @@ description = """ Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_mshta_making_network_connections.toml b/rules/windows/execution_mshta_making_network_connections.toml index 915bf7515..96e9bb80b 100644 --- a/rules/windows/execution_mshta_making_network_connections.toml +++ b/rules/windows/execution_mshta_making_network_connections.toml @@ -10,6 +10,7 @@ description = """ Identifies mshta.exe making a network connection. This may indicate adversarial activity as mshta.exe is often leveraged by adversaries to execute malicious scripts and evade detection. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_msxsl_network.toml b/rules/windows/execution_msxsl_network.toml index 071cd085e..d80a62fbe 100644 --- a/rules/windows/execution_msxsl_network.toml +++ b/rules/windows/execution_msxsl_network.toml @@ -10,6 +10,7 @@ description = """ Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged by adversaries to execute malicious scripts and evade detection. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_psexec_lateral_movement_command.toml b/rules/windows/execution_psexec_lateral_movement_command.toml index 07e5f4532..aac197eee 100644 --- a/rules/windows/execution_psexec_lateral_movement_command.toml +++ b/rules/windows/execution_psexec_lateral_movement_command.toml @@ -16,6 +16,7 @@ false_positives = [ environment to determine the amount of noise to expect from this tool. """, ] +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index 606e297a5..35db74c42 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -16,6 +16,7 @@ false_positives = [ is unusual. """, ] +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_script_executing_powershell.toml b/rules/windows/execution_script_executing_powershell.toml index 3e079cd56..4c9888739 100644 --- a/rules/windows/execution_script_executing_powershell.toml +++ b/rules/windows/execution_script_executing_powershell.toml @@ -10,6 +10,7 @@ description = """ Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_suspicious_ms_office_child_process.toml b/rules/windows/execution_suspicious_ms_office_child_process.toml index f93227663..a22aa864d 100644 --- a/rules/windows/execution_suspicious_ms_office_child_process.toml +++ b/rules/windows/execution_suspicious_ms_office_child_process.toml @@ -11,6 +11,7 @@ Identifies suspicious child processes of frequently targeted Microsoft Office ap These child processes are often launched during exploitation of Office applications or from documents with malicious macros. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_suspicious_ms_outlook_child_process.toml b/rules/windows/execution_suspicious_ms_outlook_child_process.toml index a7d83b821..8160477ee 100644 --- a/rules/windows/execution_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/execution_suspicious_ms_outlook_child_process.toml @@ -10,6 +10,7 @@ description = """ Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index dc8c4d49d..9780e2773 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -10,6 +10,7 @@ description = """ Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_unusual_network_connection_via_rundll32.toml b/rules/windows/execution_unusual_network_connection_via_rundll32.toml index d2249a31d..59d01c073 100644 --- a/rules/windows/execution_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/execution_unusual_network_connection_via_rundll32.toml @@ -10,6 +10,7 @@ description = """ Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial activity and may identify malicious DLLs. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_unusual_process_network_connection.toml b/rules/windows/execution_unusual_process_network_connection.toml index 9d531ee19..a83f1b083 100644 --- a/rules/windows/execution_unusual_process_network_connection.toml +++ b/rules/windows/execution_unusual_process_network_connection.toml @@ -10,6 +10,7 @@ description = """ Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_via_net_com_assemblies.toml b/rules/windows/execution_via_net_com_assemblies.toml index 09066b96e..a559768a7 100644 --- a/rules/windows/execution_via_net_com_assemblies.toml +++ b/rules/windows/execution_via_net_com_assemblies.toml @@ -11,6 +11,7 @@ RegSvcs.exe and RegAsm.exe are Windows command line utilities that are used to r (COM) assemblies. Adversaries can use RegSvcs.exe and RegAsm.exe to proxy execution of code through a trusted Windows utility. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml index 73f27dd62..9d6526ba4 100644 --- a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml +++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml @@ -12,6 +12,7 @@ over Server Message Block (SMB), which communicates between hosts using port 445 connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index 11790c66b..31c5e2447 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -7,6 +7,7 @@ updated_date = "2020/08/03" [rule] author = ["Elastic"] description = "Detects writing executable files that will be automatically launched by Adobe on launch." +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/persistence_local_scheduled_task_commands.toml b/rules/windows/persistence_local_scheduled_task_commands.toml index ce71a86b2..55989d661 100644 --- a/rules/windows/persistence_local_scheduled_task_commands.toml +++ b/rules/windows/persistence_local_scheduled_task_commands.toml @@ -8,6 +8,7 @@ updated_date = "2020/08/03" author = ["Elastic"] description = "A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges." false_positives = ["Legitimate scheduled tasks may be created during installation of new software."] +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index 7a9ded5c3..9273b41b3 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -10,6 +10,7 @@ description = """ Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index ccb3eec67..8bf704dba 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -10,6 +10,7 @@ description = """ Identifies attempts to create new local users. This is sometimes done by attackers to increase access to a system or domain. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index 930219330..6e4b402a7 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -10,6 +10,7 @@ description = """ Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index 71ee6363c..06920b26e 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -10,6 +10,7 @@ description = """ Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" From 4ffdc46ba7ed68ce75bcdb520272c81f2bf64c20 Mon Sep 17 00:00:00 2001 From: Justin Ibarra Date: Thu, 27 Aug 2020 14:47:29 -0800 Subject: [PATCH 2/2] Lock rule versions (#207) --- etc/version.lock.json | 300 +++++++++++++++++++++--------------------- 1 file changed, 150 insertions(+), 150 deletions(-) diff --git a/etc/version.lock.json b/etc/version.lock.json index 243a8d850..676bce07a 100644 --- a/etc/version.lock.json +++ b/etc/version.lock.json @@ -6,18 +6,18 @@ }, "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { "rule_name": "System Shells via Services", - "sha256": "f68a9dce69186cf8572e292ecf08940d2147a15758ea95fdc2c7f088de2b90cf", - "version": 3 + "sha256": "6d47bcc98a871cdd3e70fe35d093133b1c731a17ffb0c7ea03fd0d61fc00dc02", + "version": 4 }, "041d4d41-9589-43e2-ba13-5680af75ebc2": { "rule_name": "Potential DNS Tunneling via Iodine", - "sha256": "b5191f150c1ebb72435b3d9f7fa94f5899d19721c18e0bdaa29fd60fa8467bc7", - "version": 3 + "sha256": "c17a009f2b1b2146fcda7e2375a6560d89536bca1d9fcc52ad5c444b4bcfc179", + "version": 4 }, "05e5a668-7b51-4a67-93ab-e9af405c9ef3": { "rule_name": "Interactive Terminal Spawned via Perl", - "sha256": "d0be61c3e42cf4bde25d38756c9c22b8a22823b69d30a865812f5df76e36694f", - "version": 2 + "sha256": "d88cc0ea7309e063e63b8241cc54e7e269ae1b33866dd3bf8f46c438d0d308d7", + "version": 3 }, "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { "rule_name": "Potential Evasion via Filter Manager", @@ -41,28 +41,28 @@ }, "0d69150b-96f8-467c-a86d-a67a3378ce77": { "rule_name": "Nping Process Activity", - "sha256": "c85589b020359d809d3f65951b4cee3cc7c10da104effeeaa2fc920eed8ff4a6", - "version": 3 + "sha256": "182668d6e35a7cd6ee4f8c9d4c8254a38d117cae8f100783156fcb793fbe0fac", + "version": 4 }, "0e79980b-4250-4a50-a509-69294c14e84b": { "rule_name": "MsBuild Making Network Connections", - "sha256": "11cb63b795999bdd1ea0eb1d4cbf5c6b8d86c4945a480136eeaa80f9161fd522", - "version": 3 + "sha256": "fa80576323984a1cdbae7de84168b41ea9aa136a4d4eb5b1881c30927aa2d72e", + "version": 4 }, "0f616aee-8161-4120-857e-742366f5eeb3": { "rule_name": "PowerShell spawning Cmd", - "sha256": "823211d2d9e7031bcc9ea0b8602b7e2dda7d6cf7b53dee522c071d8fd2a71d2a", - "version": 3 + "sha256": "059dc81a07c9f3e03e8a0789bff2cb08a59001fdf8fe3a1cb0bcda6d3caa7bc1", + "version": 4 }, "120559c6-5e24-49f4-9e30-8ffe697df6b9": { "rule_name": "User Discovery via Whoami", - "sha256": "5b24e533677a2f73bf8b544ce6fbf607947458de6b8882958699b9598a3d4a60", - "version": 3 + "sha256": "07e4c45585d14e41fadd1bb2f2d089924be88eeb447ed751d600b3ea06d118f2", + "version": 4 }, "125417b8-d3df-479f-8418-12d7e034fee3": { "rule_name": "Attempt to Disable IPTables or Firewall", - "sha256": "cbc8586826f96d5f656bee2ad503dd04e7969434458387de04f4064d8339fa9f", - "version": 2 + "sha256": "59632e186f6b83ff142f1be24f88219a64b9eba91582c6d1151737be05565348", + "version": 3 }, "139c7458-566a-410c-a5cd-f80238d6a5cd": { "rule_name": "SQL Traffic to the Internet", @@ -121,13 +121,13 @@ }, "1aa9181a-492b-4c01-8b16-fa0735786b2b": { "rule_name": "User Account Creation", - "sha256": "74696927e06e5fe8c85631d79fbe1c3a4a6b4050e8a47bbe7c15189a0407a7fb", - "version": 3 + "sha256": "402a5e361bf78100cbd475dfe6d13b574e07edaa4fd6515e9c6ad9b2cb741ec4", + "version": 4 }, "1b21abcc-4d9f-4b08-a7f5-316f5f94b973": { "rule_name": "Connection to Internal Network via Telnet", - "sha256": "7bb31e4849331d9eb2654a8dcc8e8f7e92932705a68217ddfeaf56def57a7e85", - "version": 2 + "sha256": "2e57557c9b3fcb6208d6c61b61fa0c76f5155884ab6f0ee01c7ddd1527283d13", + "version": 3 }, "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": { "rule_name": "Exploit - Detected - Elastic Endpoint Security", @@ -141,13 +141,13 @@ }, "231876e7-4d1f-4d63-a47c-47dd1acdc1cb": { "rule_name": "Potential Shell via Web Server", - "sha256": "4bfbdc1a0d610ccb336a4816910e33f31ab91509561cfd36f9796e0a3ac975fc", - "version": 4 + "sha256": "0ffb12553181b7aba190ba88d9e29ad6f0e6e41cb0b0c290dc111c8c5ebc463d", + "version": 5 }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "rule_name": "Net command via SYSTEM account", - "sha256": "ea63231f092eb92bb5af6281ae6a75d533362eff9969622f300b444469215456", - "version": 2 + "sha256": "8b67949307e8e23b7ba787b251923997097cd417c90f07c137ff306f8ffeee58", + "version": 3 }, "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { "rule_name": "Exploit - Prevented - Elastic Endpoint Security", @@ -156,23 +156,23 @@ }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "rule_name": "Adobe Hijack Persistence", - "sha256": "05564512fe328ac4a4fcfffe78ae6a65ea0d787a48aceaf575edae53c7f95d0f", - "version": 3 + "sha256": "10a5ff3172ab7265ac7e29a3d64a77992312238f2c35037d3a723bbd26644eac", + "version": 4 }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { "rule_name": "Enumeration of Kernel Modules", - "sha256": "d599196e0f60c0f8dffb2d1fca21196e2c6ddf937531106b6bb8e633bfcc3333", - "version": 2 + "sha256": "3a00bcfef88df687e9f60af981f5e45b7f1d7275c637bf6d346c9a8424ed4aa2", + "version": 3 }, "2f8a1226-5720-437d-9c20-e0029deb6194": { "rule_name": "Attempt to Disable Syslog Service", - "sha256": "c374f6e74954bf81a5cbbe653d457c42b7f23208449b56ac24281d0d6a1e91db", - "version": 2 + "sha256": "a2a3c2eb4e76f3161927f2f3708a7831c0254f05598cf174afe04e173b9b726e", + "version": 3 }, "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { "rule_name": "Bypass UAC via Event Viewer", - "sha256": "92fb6101c53b13f0bf3405f410860ce804f3ba778e06f566431dcda90fe894ba", - "version": 2 + "sha256": "d639e962c341c024aaf84dc2d15fb964b80d6ffeb33446bfc689972ac0e74896", + "version": 3 }, "32923416-763a-4531-bb35-f33b9232ecdb": { "rule_name": "RPC (Remote Procedure Call) to the Internet", @@ -181,8 +181,8 @@ }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { "rule_name": "Suspicious MS Outlook Child Process", - "sha256": "582776dd04e5cd8c0f07883b793d2cb8e663233686cd8261b144e394e5bc00b3", - "version": 3 + "sha256": "20851dcbbe8b5b2d488ec89f42ae0a34d28ca793f91c59c9a746a071063e4fd5", + "version": 4 }, "333de828-8190-4cf5-8d7c-7575846f6fe0": { "rule_name": "AWS IAM User Addition to Group", @@ -196,8 +196,8 @@ }, "35df0dd8-092d-4a83-88c1-5151a804f31b": { "rule_name": "Unusual Parent-Child Relationship", - "sha256": "7ce5606939cea6e45c7659bde7b679c0c33a164a9cecae385eb2a89379b7bcde", - "version": 3 + "sha256": "d6cfb4698aec1b5cf0d032dc63a045734b6d2f64f1512eed04ec2830dae5edc5", + "version": 4 }, "37b211e8-4e2f-440f-86d8-06cc8f158cfa": { "rule_name": "AWS Execution via System Manager", @@ -211,8 +211,8 @@ }, "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { "rule_name": "Network Connection via Certutil", - "sha256": "9d456ed87d910cb6ebb86be154c58f80a7e4a011f8f55ddc2ff451f3efc23fe9", - "version": 2 + "sha256": "2ddb1724d79b9606e5fa60cef5a8ea1b4f61ca4586693d6fa9c74083bbb86402", + "version": 3 }, "39144f38-5284-4f8e-a2ae-e3fd628d90b0": { "rule_name": "AWS EC2 Network Access Control List Creation", @@ -221,8 +221,8 @@ }, "3a86e085-094c-412d-97ff-2439731e59cb": { "rule_name": "Setgid Bit Set via chmod", - "sha256": "10a09743e9baaae69190eabcc1d7f6fc61ff8da5e7ff5a79208b7b25f2c05473", - "version": 2 + "sha256": "6b771c1099456446df103f77a607770b53cd33f3cf21ef60fda8a8a7914961c3", + "version": 3 }, "3ad49c61-7adc-42c1-b788-732eda2f5abf": { "rule_name": "VNC (Virtual Network Computing) to the Internet", @@ -271,8 +271,8 @@ }, "4630d948-40d4-4cef-ac69-4002e29bc3db": { "rule_name": "Adding Hidden File Attribute via Attrib", - "sha256": "9cd83ec78d98435f5388ded75a9b1034f52da57884d1052801099e79f1087072", - "version": 3 + "sha256": "cbd3d898a80fdb3bd7c79c2f6486138e0d9d4577d34256136ccc8282a54d12ea", + "version": 4 }, "46f804f5-b289-43d6-a881-9387cf594f75": { "rule_name": "Unusual Process For a Linux Host", @@ -281,13 +281,13 @@ }, "47f09343-8d1f-4bb5-8bb0-00c9d18f5010": { "rule_name": "Execution via Regsvcs/Regasm", - "sha256": "637246c78b6fa0905bfc47ca942265bc7fc7daa16e544a1dad9aacd0d8932e89", - "version": 2 + "sha256": "cb6f8a29b6e8e22054ad733b4c8d1e4a3203a08cc8333c9c0ced2057dba9e71e", + "version": 3 }, "4b438734-3793-4fda-bd42-ceeada0be8f9": { "rule_name": "Disable Windows Firewall Rules via Netsh", - "sha256": "5b03dfdf92939205720bd9a2a6ba3fcac321ab46278a63cf862a9ca8881623a7", - "version": 3 + "sha256": "7efb0cbeb8fdb7d49f6daeca8b7877ab7472b9bd0046e8e25596320bf7836d50", + "version": 4 }, "523116c0-d89d-4d7c-82c2-39e6845a78ef": { "rule_name": "AWS GuardDuty Detector Deletion", @@ -296,8 +296,8 @@ }, "52aaab7b-b51c-441a-89ce-4387b3aea886": { "rule_name": "Unusual Network Connection via RunDLL32", - "sha256": "f92bcc8271ce1e1082d42f76466838e17a0e94800d8c667f36df7f5dc55a1f92", - "version": 4 + "sha256": "e091babf5f308e98b3f0d883ec8d4d6a7ead789f240e79b6c89b974ba77ac80f", + "version": 5 }, "52afbdc5-db15-485e-bc24-f5707f820c4b": { "rule_name": "Unusual Linux Network Activity", @@ -316,13 +316,13 @@ }, "53a26770-9cbd-40c5-8b57-61d01a325e14": { "rule_name": "Suspicious PDF Reader Child Process", - "sha256": "82ba007857d824bcb38916fca098f15f5bb777191a7403c8e31f860514664d6b", - "version": 2 + "sha256": "ecaccdda66ec525035e0abe4cc0c05cf1ca2bcb9ab42fc9b087d15e6df1af6b5", + "version": 3 }, "55d551c6-333b-4665-ab7e-5d14a59715ce": { "rule_name": "PsExec Network Connection", - "sha256": "b05123353ff4a1d27d4631d4bbc2f16860b755c4c32ec12dd65583f752866f43", - "version": 3 + "sha256": "8906bc996c13a315e04670626ece6862e0fac10a206fe365d567c09c4b0ae50c", + "version": 4 }, "56557cde-d923-4b88-adee-c61b3f3b5dc3": { "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", @@ -341,8 +341,8 @@ }, "581add16-df76-42bb-af8e-c979bfb39a59": { "rule_name": "Deleting Backup Catalogs with Wbadmin", - "sha256": "a2f23de5e7249c0e4e28212eca17fcf83fdbea776f898f3bc5c456d9b80deb43", - "version": 3 + "sha256": "711209a022fc43f31489e05a3dd413ef7c89e4bc058376f1bb54c98896dfaf94", + "version": 4 }, "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": { "rule_name": "AWS CloudTrail Log Created", @@ -351,8 +351,8 @@ }, "5b03c9fb-9945-4d2f-9568-fd690fee3fba": { "rule_name": "Virtual Machine Fingerprinting", - "sha256": "1de8ead775e787c3256447c82655c40866a9513c245d1223939e04cb9f9763cf", - "version": 2 + "sha256": "9dfe20ded6d2881ef9ab368960f6232c28a7c20783b35ab2176cccff4ca8d19c", + "version": 3 }, "5beaebc1-cc13-4bfc-9949-776f9e0dc318": { "rule_name": "AWS WAF Rule or Rule Group Deletion", @@ -361,18 +361,18 @@ }, "610949a1-312f-4e04-bb55-3a79b8c95267": { "rule_name": "Unusual Process Network Connection", - "sha256": "1ad6e642d8c578f97d2569cc471059c7029ec1190e89c9dd0042c5a88906275b", - "version": 3 + "sha256": "e35d9a9c665928aa65a412aacdc9115351f3ce4a6d8c2588629b84e9243c341d", + "version": 4 }, "61c31c14-507f-4627-8c31-072556b89a9c": { "rule_name": "Mknod Process Activity", - "sha256": "64a4c6687e8b28df55161028153804821cace7ea512cbabe778d559283d14a8d", - "version": 3 + "sha256": "87b5626a84518eec3d829cb474cb47532b10bb4a1d0b11d755c3682475d7cc3a", + "version": 4 }, "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { "rule_name": "Network Connection via Signed Binary", - "sha256": "404f0a34bef511d70d8dd11f094e02aa8a3fe938bdfb3d4441c4dbf6ea1a2cd3", - "version": 3 + "sha256": "548c73b1abd270a73ac51e0460895d3836f11ceadc8b19559a65c9618e20a118", + "version": 4 }, "647fc812-7996-4795-8869-9c4ea595fe88": { "rule_name": "Anomalous Process For a Linux Population", @@ -406,8 +406,8 @@ }, "69c251fb-a5d6-4035-b5ec-40438bd829ff": { "rule_name": "Modification of Boot Configuration", - "sha256": "c9771d9c525e750a0017693621b03d3aef6a3ec5773461ed3a1661ab43f85b53", - "version": 2 + "sha256": "228c4a9cc746a7de36dcd5f9b3cc9c86d0b06e7aef98059cecf0b2a0c7ed2c2d", + "version": 3 }, "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": { "rule_name": "AWS IAM Password Recovery Requested", @@ -476,13 +476,13 @@ }, "7a137d76-ce3d-48e2-947d-2747796a78c0": { "rule_name": "Network Sniffing via Tcpdump", - "sha256": "c2c87b8c43abfa894c8e9d4fae2a21a63ad5e6608775215ee4315901207fc51d", - "version": 3 + "sha256": "ade46e96d842d8cbbf57a750750a9608f727e242b08491889ea63a07dffd4ca3", + "version": 4 }, "7bcbb3ac-e533-41ad-a612-d6c3bf666aba": { "rule_name": "Deletion of Bash Command Line History", - "sha256": "90b821385ca30c677f757792c1f20543e852cc3e84161b7c67418e0795598fc8", - "version": 1 + "sha256": "9d890cbfcc12c01039cba5c143d094316e061f0a4d5d3b08165cf2eac4abb643", + "version": 2 }, "7d2c38d7-ede7-4bdf-b140-445906e6c540": { "rule_name": "Tor Activity to the Internet", @@ -501,8 +501,8 @@ }, "81cc58f5-8062-49a2-ba84-5cc4b4d31c40": { "rule_name": "Persistence via Kernel Module Modification", - "sha256": "80125097341af87cd48b9ad11105d466d5956ccc306450a562cfd0eb3ba33e5c", - "version": 3 + "sha256": "7de69f7a4a1f9689fe091d5b70484d4392ad24039b3a80f47d39d322d4719e55", + "version": 4 }, "8623535c-1e17-44e1-aa97-7a0699c3037d": { "rule_name": "AWS EC2 Network Access Control List Deletion", @@ -521,13 +521,13 @@ }, "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { "rule_name": "Command Prompt Network Connection", - "sha256": "84bf6f16be980111319510f8654f6b42ac0a4e73405b2f031c9d5b0633e71014", - "version": 3 + "sha256": "920af03d75efd763b940e822bf4ba93d3f8fd8dde10e116f98e7d459096de622", + "version": 4 }, "8a1b0278-0f9a-487d-96bd-d4833298e87a": { "rule_name": "Setuid Bit Set via chmod", - "sha256": "80d32998b1c5af4f744b6890f5b5d734fd59f208e072929836a823619660d6b5", - "version": 2 + "sha256": "af04c32620120d576ec2c15c7a49bb359b6c1c77490206e947ed86826020fa3a", + "version": 3 }, "8c1bdde8-4204-45c0-9e0c-c85ca3902488": { "rule_name": "RDP (Remote Desktop Protocol) from the Internet", @@ -541,8 +541,8 @@ }, "90169566-2260-4824-b8e4-8615c3b4ed52": { "rule_name": "Hping Process Activity", - "sha256": "a981451a19485a25d6fe0c5a5c6760be1d66decf16a4989d48754e3b7add6ab6", - "version": 3 + "sha256": "983df73edf11df0faa699d91d23031739d932dc4134e634c5c886fd07c6d5a4f", + "version": 4 }, "9055ece6-2689-4224-a0e0-b04881e1f8ad": { "rule_name": "AWS RDS Cluster Deletion", @@ -571,8 +571,8 @@ }, "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": { "rule_name": "Sudoers File Modification", - "sha256": "d11b8d0bb029ec776940640f440bc35573b8d5a83f2306cc9365c36dd2110be7", - "version": 2 + "sha256": "7d7d732303b9069da8939be0085b0b8f1fba316e25e4531e3d078f3ef0bab9c3", + "version": 3 }, "9395fd2c-9947-4472-86ef-4aceb2f7e872": { "rule_name": "AWS EC2 Flow Log Deletion", @@ -586,8 +586,8 @@ }, "97f22dab-84e8-409d-955e-dacd1d31670b": { "rule_name": "Base64 Encoding/Decoding Activity", - "sha256": "feb2b3549a08e130d7b06da043cae62e646e2199b3c31bb71aa7ff059c3a7b6e", - "version": 2 + "sha256": "b83f0cfa5bbb7f02fa48798def53d8b1a57fd8734d0d24e95e8ebe34444e5249", + "version": 3 }, "98fd7407-0bd5-5817-cda0-3fcc33113a56": { "rule_name": "AWS EC2 Snapshot Activity", @@ -611,28 +611,28 @@ }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": { "rule_name": "Microsoft Build Engine Started by a Script Process", - "sha256": "2f83765c4911e648c0be0db638d9cc346965a71141933eac60f40861b9b7cd91", - "version": 2 + "sha256": "d6ebaa11d210241095adfa1bcc998743ab486836f893b87e044a8255829f52fb", + "version": 3 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "a21ff9b2f5134165746bb88ae1aee78d6bd955a455052c829ab18ccd9f06118f", - "version": 2 + "sha256": "2bbb3b9cbeead17b40f9663e52ec3b42f4b1d58dd645962c431d84b7ce149c90", + "version": 3 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { "rule_name": "Microsoft Build Engine Using an Alternate Name", - "sha256": "6734ab6912ee86be6f5eff281217b5f9c95ac51596cd01d2f9359cc3b8de7758", - "version": 2 + "sha256": "c7b27e753ab08dc5bd3cab380b67f4b346279dbeddea2b55aa862747f335e56b", + "version": 3 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { "rule_name": "Microsoft Build Engine Loading Windows Credential Libraries", - "sha256": "9aa85ddacb0b3441dfcb53ec6d5b5c5ce908c558a242c764bd3f44624f8153ee", - "version": 2 + "sha256": "45fff1a065830305c07e41b12e2645e34ba7c10c5512268efd85d2e50ce4f833", + "version": 3 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": { "rule_name": "Microsoft Build Engine Started an Unusual Process", - "sha256": "2c2569ff1e94344e1f975de973207510adf013f3a1d023c86508e8a116014454", - "version": 2 + "sha256": "0aefc28ef5fa42264e4082dd010644052873fc54ae3cb0b7bc3cbf5a882fe345", + "version": 3 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { "rule_name": "Process Injection by the Microsoft Build Engine", @@ -641,8 +641,8 @@ }, "9f9a2a82-93a8-4b1a-8778-1780895626d4": { "rule_name": "File Permission Modification in Writable Directory", - "sha256": "15ed502ec9c70e5b3fa1de7c99ec0877ac1907ece60779a324b8461956093012", - "version": 2 + "sha256": "a615c13125f279c6b25a34d110cf8d84f45e4bbce23e9ec63080952a04342760", + "version": 3 }, "a00681e3-9ed6-447c-ab2c-be648821c622": { "rule_name": "AWS Access Secret in Secrets Manager", @@ -651,13 +651,13 @@ }, "a1329140-8de3-4445-9f87-908fb6d824f4": { "rule_name": "File Deletion via Shred", - "sha256": "4f3f62c5999ec7b6e172437a4f359adc08bb68fc7a83c954c4f019b5d64a8664", - "version": 2 + "sha256": "10ea375a05dd802cd9169b589070582864cac1a66a76de45d14c2b089c25e902", + "version": 3 }, "a4ec1382-4557-452b-89ba-e413b22ed4b8": { "rule_name": "Network Connection via Mshta", - "sha256": "59d713111ca42fcac2769d8939303019253c300d5455524e3fff4446f24282ad", - "version": 3 + "sha256": "233377abf3f67401dc4208d28639241ca34ed38ba30aa4037251b1274fa5bd17", + "version": 4 }, "a60326d7-dca7-4fb7-93eb-1ca03a1febbd": { "rule_name": "AWS IAM Assume Role Policy Update", @@ -666,8 +666,8 @@ }, "a624863f-a70d-417f-a7d2-7a404638d47f": { "rule_name": "Suspicious MS Office Child Process", - "sha256": "63f8ff2b6aafc463ae4759cabe61f70564a50e3d77328cf40916ae99b7ea9813", - "version": 3 + "sha256": "0f44750ec993f9fdde22d2e85e1679352f4d94c946293223c066533697a50f59", + "version": 4 }, "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": { "rule_name": "Web Application Suspicious Activity: POST Request Declined", @@ -676,8 +676,8 @@ }, "a9198571-b135-4a76-b055-e3e5a476fd83": { "rule_name": "Hex Encoding/Decoding Activity", - "sha256": "c22e81459d98bd8fc47e911677c6ee40218253b7ec3bcb2e21c3d7e6116e7d4e", - "version": 2 + "sha256": "d191c76742500aaa9f0d3284ffa0c5fb620768826b7ed5ea0d2eea116d838d86", + "version": 3 }, "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": { "rule_name": "IPSEC NAT Traversal Port Activity", @@ -696,18 +696,18 @@ }, "adb961e0-cb74-42a0-af9e-29fc41f88f5f": { "rule_name": "Netcat Network Activity", - "sha256": "eb3f95d0ec4f799be133ce35a3b5365edbdf780a99a638023ef5aff1f64c5b1e", - "version": 3 + "sha256": "a86bc32201580a304e3177b759ade73e627c671d5e11853a88415f784b18d71b", + "version": 4 }, "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { "rule_name": "Local Scheduled Task Commands", - "sha256": "5850b379eef292ad97ff952faf36cd85e8ce9f9c34e36b3f0efe0b844cde9c8f", - "version": 3 + "sha256": "d6d29ecdfb8d8ac87743712066146346c70d2a2991a00def356c8ed4733871bf", + "version": 4 }, "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { "rule_name": "Network Connection via Compiled HTML File", - "sha256": "397a3304cb369f9f0567541e5bd84323c385ec834cb499a0e67d718f64006f52", - "version": 3 + "sha256": "88b6fdcc1f81a38ae42c2cc4d883604e9f5acd4a58af5f48a0c48e398665b9a4", + "version": 4 }, "b347b919-665f-4aac-b9e8-68369bf2340c": { "rule_name": "Unusual Linux Username", @@ -721,8 +721,8 @@ }, "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { "rule_name": "Volume Shadow Copy Deletion via VssAdmin", - "sha256": "9a89bb4616053a27b9da19b0e039f20b5b06eddb82c0254daa490038e565943f", - "version": 3 + "sha256": "fc61426143133407bddabf689f0b5244aff16def118cbf470929b71174763637", + "version": 4 }, "b719a170-3bdb-4141-b0e3-13e3cf627bfe": { "rule_name": "Attempt to Deactivate Okta Policy", @@ -736,13 +736,13 @@ }, "b86afe07-0d98-4738-b15d-8d7465f95ff5": { "rule_name": "Network Connection via MsXsl", - "sha256": "a6b35cd7c01efd9e3ff5f09556cfeae330c4c59d78c7d467cf32b8c376f93371", - "version": 2 + "sha256": "b82fc0de50c86b935980223c1fd582a618f509e526ba9d363771d0b5601b2628", + "version": 3 }, "b9666521-4742-49ce-9ddc-b8e84c35acae": { "rule_name": "Creation of Hidden Files and Directories", - "sha256": "0032ef35ec0d687bcb474eedb0e01318c6d305c658ec692cf78bfb9d1bf2e1dc", - "version": 1 + "sha256": "c9369962e142eda14a770259206ca03ba72a0d0b907996d25498e4e2ef847796", + "version": 2 }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { "rule_name": "Unusual Windows Network Activity", @@ -771,8 +771,8 @@ }, "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { "rule_name": "Microsoft Build Engine Started by an Office Application", - "sha256": "dd84d55464f543307c27a7f776fafdb99ab36e58ad7a7d5cbe9dbd3bd4c39a33", - "version": 2 + "sha256": "15fd9d9b15627d4a9dd571999362b14fb2e86016cf6e27740af6c1f45f64db96", + "version": 3 }, "c6474c34-4953-447a-903e-9fcb7b6661aa": { "rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", @@ -786,13 +786,13 @@ }, "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": { "rule_name": "Direct Outbound SMB Connection", - "sha256": "f323552f1aa665fbffde188f19226fda514df98d5e174725d61cd0d413ed8130", - "version": 3 + "sha256": "fae4636ddb0a185e2acbb41f8fea2f8510f6cf0ae61bbddd0218c63a74d5483b", + "version": 4 }, "c87fca17-b3a9-4e83-b545-f30746c53920": { "rule_name": "Nmap Process Activity", - "sha256": "b0134afadd79015919a72fb3e6fa0f3994aca735609a71ab4aaa03c89c6ceee4", - "version": 3 + "sha256": "b82bf76e52898dfa29ff4736c2c989d575b0bf9c06fdb8bfcbf1ee737f41ccaf", + "version": 4 }, "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { "rule_name": "Credential Manipulation - Prevented - Elastic Endpoint Security", @@ -816,13 +816,13 @@ }, "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": { "rule_name": "Socat Process Activity", - "sha256": "68d871126791b1040df2c53b6dc057432217be3b4376703b7cb81a2057344720", - "version": 3 + "sha256": "5dfa85cf3d23f692d8b5612ae518fda01ad11c2a9e4b3858f6f2eb79112332ac", + "version": 4 }, "cd66a5af-e34b-4bb0-8931-57d0a043f2ef": { "rule_name": "Kernel Module Removal", - "sha256": "f9fdcf439337f1fe71aa24215d02c09249e9cfb978f217d3edef60d6607d9403", - "version": 2 + "sha256": "db63134024db06c912eac8f9cbb156a98ba56e576abec86baff108edc6a7a10b", + "version": 3 }, "cd89602e-9db0-48e3-9391-ae3bf241acd8": { "rule_name": "Attempt to Deactivate MFA for Okta User Account", @@ -836,8 +836,8 @@ }, "d331bbe2-6db4-4941-80a5-8270db72eb61": { "rule_name": "Clearing Windows Event Logs", - "sha256": "6bf85d1d2f89adc041f3190145f1de20672f190727b302eaaf43268951d5e100", - "version": 3 + "sha256": "1e199885d6b2ee9d5652ae342c7a56130596f14f4207396452c15db2d826c26f", + "version": 4 }, "d49cc73f-7a16-4def-89ce-9fc7127d7820": { "rule_name": "Web Application Suspicious Activity: sqlmap User Agent", @@ -851,13 +851,13 @@ }, "d6450d4e-81c6-46a3-bd94-079886318ed5": { "rule_name": "Strace Process Activity", - "sha256": "9d82b60fa077eab2c9bd133e9a3c4d56e2cf3f1ba86047b23540dc6b837266fb", - "version": 3 + "sha256": "2932086916e97a5920805f062c8461646c61448d36248aa6bf403133c86efa34", + "version": 4 }, "d76b02ef-fc95-4001-9297-01cb7412232f": { "rule_name": "Interactive Terminal Spawned via Python", - "sha256": "6e298f0f3fed486ae6f4eb0a4d93d8deebf1597264ec5ac5ed32c42d8616263a", - "version": 2 + "sha256": "0a50429de3280c10cd206152131fed4f9491b08502c8877352256f7965470a0f", + "version": 3 }, "d7e62693-aab9-4f66-a21a-3d79ecdd603d": { "rule_name": "SMTP on Port 26/TCP", @@ -876,8 +876,8 @@ }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { "rule_name": "Volume Shadow Copy Deletion via WMIC", - "sha256": "64fccc407b6b538dbab612c8a8040476660146645f1940b48a64a324c51e705b", - "version": 3 + "sha256": "4b8ef95da8429452dcf67363672f8a9e6c4e45bc80bd729ad5d3b3e60a550a7c", + "version": 4 }, "dca28dee-c999-400f-b640-50a081cc0fd1": { "rule_name": "Unusual Country For an AWS Command", @@ -886,13 +886,13 @@ }, "debff20a-46bc-4a4d-bae5-5cdd14222795": { "rule_name": "Base16 or Base32 Encoding/Decoding Activity", - "sha256": "5f837c9e27f696b82b77dcb7d2c4a1a92142c2464451fc000104488ed8d65160", - "version": 2 + "sha256": "d3b991ebc8647e62117b27fbc8ed1f9c22a7daddb565daa4d2e617d1c8cf71b6", + "version": 3 }, "df959768-b0c9-4d45-988c-5606a2be8e5a": { "rule_name": "Unusual Process Execution - Temp", - "sha256": "88700a3ed7404230c3fdcfb911bf74ef67178524e736a46f09cd82435b4e825d", - "version": 3 + "sha256": "26f7ffcfddc4a817c1cedd32dc68cef4167749ada87584c1ab790d2b44a41485", + "version": 4 }, "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": { "rule_name": "AWS RDS Cluster Creation", @@ -901,8 +901,8 @@ }, "e19e64ee-130e-4c07-961f-8a339f0b8362": { "rule_name": "Connection to External Network via Telnet", - "sha256": "1bdc0e8f97c88ad7d853ebb1870d959cd48583d54e72572f169a3fb35907e1aa", - "version": 2 + "sha256": "8dddae484d130d6bbcf5b88ba30b257f4ec4b0cf0e3eff8233822488c848ad9f", + "version": 3 }, "e2a67480-3b79-403d-96e3-fdd2992c50ef": { "rule_name": "AWS Management Console Root Login", @@ -936,8 +936,8 @@ }, "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { "rule_name": "Local Service Commands", - "sha256": "09a14045036f6a30948b02a97ace4a3004863642b39f1d965fb7bc175fadff25", - "version": 3 + "sha256": "7f40a97cad0ae6acde9832aff4deb5250d452c2c825f894a138ae9f0d86a4121", + "version": 4 }, "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": { "rule_name": "SSH (Secure Shell) from the Internet", @@ -956,8 +956,8 @@ }, "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": { "rule_name": "Potential Disabling of SELinux", - "sha256": "8f7296c828ca1babc06b6d8f33006f235b006335b8e05dca5f6cd0dec669975f", - "version": 2 + "sha256": "3354f1c679152be687ac4eef73892612b5b488f0cfe4e0e2636dc3dfdfa45b6a", + "version": 3 }, "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": { "rule_name": "AWS RDS Instance/Cluster Stoppage", @@ -971,13 +971,13 @@ }, "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { "rule_name": "Windows Script Executing PowerShell", - "sha256": "681ddd7b3337bb41f2496d94153c346d7e8e4fd2cab289c5c5168e3f5446d549", - "version": 3 + "sha256": "fbb250048e91b7b8df4a0555a9ddc8cf98009dbf2434019bf0e88839983dd332", + "version": 4 }, "f675872f-6d85-40a3-b502-c0d2ef101e92": { "rule_name": "Delete Volume USN Journal with Fsutil", - "sha256": "9fc4f152c5dbe06bbbdf27a4d307abc2da1116b564acc79b30034913e3b12219", - "version": 3 + "sha256": "37d052555eb47692d5dd98ecf41af9de6d21b1526b7047c228a532e021ca04ca", + "version": 4 }, "f772ec8a-e182-483c-91d2-72058f76a44c": { "rule_name": "AWS CloudWatch Alarm Deletion", @@ -991,8 +991,8 @@ }, "fb02b8d3-71ee-4af1-bacd-215d23f17efa": { "rule_name": "Network Connection via Regsvr", - "sha256": "78487cacf86e895d025eabed659c5ffaa0ded038a19808d5d6bb5f70978fb014", - "version": 3 + "sha256": "01a7ea6c1cda22f3edc887d557916a5f27184cbb9c90dd7c09e36f3c68fd59f4", + "version": 4 }, "fbd44836-0d69-4004-a0b4-03c20370c435": { "rule_name": "AWS Configuration Recorder Stopped", @@ -1006,12 +1006,12 @@ }, "fd70c98a-c410-42dc-a2e3-761c71848acf": { "rule_name": "Encoding or Decoding Files via CertUtil", - "sha256": "cd0e189f8420314a834c4916b9685304b8edc4259d275796ee0e06fb7df0338b", - "version": 3 + "sha256": "d650ddaf396c9379540944aa0f084b0ef5802ec62367cb311ac6a4f0dd353d2d", + "version": 4 }, "fd7a6052-58fa-4397-93c3-4795249ccfa2": { "rule_name": "Svchost spawning Cmd", - "sha256": "53659b10280ff1cf084f6f27a95b3eae81c1e9e9e2cf0806e7eb61f14da0fc6d", - "version": 3 + "sha256": "730e186178e67ceed90c1a70820a8ab14290ee86c749c73739fbff617f7da978", + "version": 4 } } \ No newline at end of file