Merge branch '7.9' into main

2020-08-27 15:54:44 -08:00
parent 779a3a5b0d 4ffdc46ba7
commit aec3ec31b9
76 changed files with 225 additions and 150 deletions
@@ -17,6 +17,7 @@ false_positives = [
    troubleshooting.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to
 receive or send network traffic.
 """
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade
 detection by security controls.
 """
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -13,6 +13,7 @@ false_positives = [
    filtered by the process executable or username values.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -13,6 +13,7 @@ false_positives = [
    filtered by the process executable or username values.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Adversaries may attempt to clear the bash command line history in an attempt to evade detection or forensic
 investigations.
 """
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "lucene"
 license = "Elastic License"
@@ -11,6 +11,7 @@ Identifies potential attempts to disable Security-Enhanced Linux (SELinux), whic
 support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and
 activities.
 """
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -11,6 +11,7 @@ Malware or other files dropped or created on a system by an adversary may leave
 a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or
 remove them at the end as part of the post-intrusion cleanup process.
 """
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -16,6 +16,7 @@ false_positives = [
    by username.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -13,6 +13,7 @@ false_positives = [
    filtered by the process executable or username values.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -17,6 +17,7 @@ false_positives = [
    behavior. These events can be filtered by the process arguments, username, or process name values.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "lucene"
 license = "Elastic License"
@@ -17,6 +17,7 @@ false_positives = [
    Note that some Linux distributions are not built to support the removal of modules at all.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -17,6 +17,7 @@ false_positives = [
    by ordinary users is uncommon. These can be exempted by process name or username.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -17,6 +17,7 @@ false_positives = [
    process arguments to eliminate potential noise.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -16,6 +16,7 @@ false_positives = [
    automation tools and frameworks.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully
 interactive tty after obtaining initial access to a host.
 """
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully
 interactive tty after obtaining initial access to a host.
 """
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -18,6 +18,7 @@ false_positives = [
    suspicious.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -18,6 +18,7 @@ false_positives = [
    suspicious.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -16,6 +16,7 @@ false_positives = [
    uncommon.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -16,6 +16,7 @@ false_positives = [
    uncommon.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -16,6 +16,7 @@ false_positives = [
    scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -18,6 +18,7 @@ false_positives = [
    originate from scripts, automation tools, and frameworks.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -18,6 +18,7 @@ false_positives = [
    uncommon.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -16,6 +16,7 @@ false_positives = [
    is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -13,6 +13,7 @@ false_positives = [
    username.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -17,6 +17,7 @@ false_positives = [
    more likely to be suspicious.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -16,6 +16,7 @@ false_positives = [
    originate from developers or SREs engaged in debugging or system call tracing.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -13,6 +13,7 @@ false_positives = [
    programs by ordinary users is uncommon.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -13,6 +13,7 @@ false_positives = [
    behavior.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -12,6 +12,7 @@ group. An adversary can take advantage of this to either do a shell escape or ex
 with the setgid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism
 on their own malware to make sure they're able to execute in elevated contexts in the future.
 """
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "lucene"
 license = "Elastic License"
@@ -12,6 +12,7 @@ user. An adversary can take advantage of this to either do a shell escape or exp
 with the setuid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism
 on their own malware to make sure they're able to execute in elevated contexts in the future.
 """
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "lucene"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take
 advantage of these configurations to execute commands as other users or spawn processes with higher privileges.
 """
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or
 malware, from a remote URL.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -11,6 +11,7 @@ An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically lin
 credential management. This technique is sometimes used for credential dumping.
 """
 false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."]
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -7,6 +7,7 @@ updated_date = "2020/08/03"
 [rule]
 author = ["Elastic"]
 description = "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection."
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection
 or destroy forensic evidence on a system.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence
 of files created during post-exploitation activities.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent
 system recovery.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to
 disable the firewall during troubleshooting or to enable network mobility.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -11,6 +11,7 @@ Identifies the use of certutil.exe to encode or decode data. CertUtil is a nativ
 Certificate Services. CertUtil is often abused by attackers to encode or decode base64 data for stealthier command and
 control or exfiltration.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -16,6 +16,7 @@ false_positives = [
    this program to be started by an Office application like Word or Excel.
    """,
 ]
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -11,6 +11,7 @@ An instance of MSBuild, the Microsoft Build Engine, was started by a script or t
 behavior is unusual and is sometimes used by malicious payloads.
 """
 false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."]
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -11,6 +11,7 @@ An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or t
 Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.
 """
 false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."]
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -11,6 +11,7 @@ An instance of MSBuild, the Microsoft Build Engine, was started after being rena
 indicate an attempt to run unnoticed or undetected.
 """
 false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."]
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -16,6 +16,7 @@ false_positives = [
    triggers this rule it can be exempted by process, user or host name.
    """,
 ]
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -11,6 +11,7 @@ Binaries signed with trusted digital certificates can execute on Windows systems
 validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass
 application allowlists and signature validation.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an
 attacker as a destructive technique.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies use of vssadmin.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or
 other destructive attacks.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or
 other destructive attacks.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies the SYSTEM account using the Net utility. The Net utility is a component of the Windows operating system. It
 is used in command line operations for control of users, groups, services, and network connections.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -16,6 +16,7 @@ false_positives = [
    environment for network connections being made from the command prompt to determine any abnormal use of this tool.
    """,
 ]
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -7,6 +7,7 @@ updated_date = "2020/08/03"
 [rule]
 author = ["Elastic"]
 description = "Identifies a suspicious parent child process relationship with cmd.exe descending from PowerShell.exe."
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -7,6 +7,7 @@ updated_date = "2020/08/03"
 [rule]
 author = ["Elastic"]
 description = "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe"
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -11,6 +11,7 @@ Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTM
 malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable
 program (hh.exe).
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary
 lateral movement but will be noisy if commonly done by admins.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often
 leveraged by adversaries to execute code and evade detection.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies mshta.exe making a network connection. This may indicate adversarial activity as mshta.exe is often leveraged
 by adversaries to execute malicious scripts and evade detection.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged
 by adversaries to execute malicious scripts and evade detection.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -16,6 +16,7 @@ false_positives = [
    environment to determine the amount of noise to expect from this tool.
    """,
 ]
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -16,6 +16,7 @@ false_positives = [
    is unusual.
    """,
 ]
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes
 executing a PowerShell script, may be indicative of malicious activity.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -11,6 +11,7 @@ Identifies suspicious child processes of frequently targeted Microsoft Office ap
 These child processes are often launched during exploitation of Office applications or from documents with malicious
 macros.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear
 phishing activity.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies suspicious child processes of PDF reader applications. These child processes are often launched via
 exploitation of PDF applications or social engineering.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial activity
 and may identify malicious DLLs.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies network activity from unexpected system applications. This may indicate adversarial activity as these
 applications are often leveraged by adversaries to execute code and evade detection.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -11,6 +11,7 @@ RegSvcs.exe and RegAsm.exe are Windows command line utilities that are used to r
 (COM) assemblies. Adversaries can use RegSvcs.exe and RegAsm.exe to proxy execution of code through a trusted Windows
 utility.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -12,6 +12,7 @@ over Server Message Block (SMB), which communicates between hosts using port 445
 connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or
 suspicious user-level processes moving laterally.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -7,6 +7,7 @@ updated_date = "2020/08/03"
 [rule]
 author = ["Elastic"]
 description = "Detects writing executable files that will be automatically launched by Adobe on launch."
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -8,6 +8,7 @@ updated_date = "2020/08/03"
 author = ["Elastic"]
 description = "A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges."
 false_positives = ["Legitimate scheduled tasks may be created during installation of new software."]
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration
 testers may run a shell as a service to gain SYSTEM permissions.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies attempts to create new local users. This is sometimes done by attackers to increase access to a system or
 domain.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with
 elevated permissions.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange
 activity on a system.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"