security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags (#4464)

Browse Source 
* [Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags

* Format & order

* Update pyproject.toml

* Update credential_access_cookies_chromium_browsers_debugging.toml
This commit is contained in:
Jonhnathan
2025-02-19 12:54:31 -03:00
committed by GitHub
parent bd62867465
commit c0f12ddecf
191 changed files with 1318 additions and 1215 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pyproject.toml
+1 -1
View File
@@ -1,6 +1,6 @@
[project]
name = "detection_rules"
version = "0.4.12"
version = "0.4.13"
description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Securitys Detection Engine."
readme = "README.md"
requires-python = ">=3.12"
rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/06/19"
integration = ["endpoint", "system"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/21"
[rule]
author = ["Elastic"]
@@ -30,7 +30,7 @@ tags = [
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml
+12 -11
View File
@@ -1,10 +1,10 @@
[metadata]
creation_date = "2020/12/21"
integration = ["endpoint", "windows"]
integration = ["endpoint", "windows", "system"]
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/21"
[rule]
author = ["Elastic"]
@@ -15,7 +15,14 @@ access web applications or Internet services as an authenticated user without ne
"""
false_positives = ["Developers performing browsers plugin or extension debugging."]
from = "now-9m"
index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
index = [
"auditbeat-*",
"logs-endpoint.events.*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
max_signals = 33
@@ -28,14 +35,6 @@ references = [
]
risk_score = 47
rule_id = "027ff9ea-85e7-42e3-99d2-bbb7069e02eb"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = [
"Domain: Endpoint",
@@ -46,6 +45,8 @@ tags = [
"Tactic: Credential Access",
"Data Source: Elastic Defend",
"Resources: Investigation Guide",
"Data Source: Windows Security Event Logs",
"Data Source: Sysmon",
]
timestamp_override = "event.ingested"
type = "eql"
rules/cross-platform/credential_access_forced_authentication_pipes.toml
+3 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2024/07/23"
integration = ["endpoint", "system"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/21"
[rule]
author = ["Elastic"]
@@ -11,7 +11,7 @@ Identifies a potential forced authentication using related SMB named pipes. Atta
authenticate to a host controlled by them to capture hashes or enable relay attacks.
"""
from = "now-9m"
index = ["logs-endpoint.events.network-*", "logs-system.security-*", "winlogbeat-*"]
index = ["logs-endpoint.events.network-*", "logs-system.security*", "winlogbeat-*"]
language = "eql"
license = "Elastic License v2"
name = "Active Directory Forced Authentication from Linux Host - SMB Named Pipes"
@@ -50,7 +50,7 @@ tags = [
"Data Source: Elastic Defend",
"Data Source: Active Directory",
"Use Case: Active Directory Monitoring",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
rules/windows/collection_email_powershell_exchange_mailbox.toml
+10 -8
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m3
maturity = "production"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
updated_date = "2024/10/31"
updated_date = "2025/02/21"
[rule]
author = ["Elastic"]
@@ -15,14 +15,15 @@ mailbox or archive to a .pst file. Adversaries may target user email to collect
false_positives = ["Legitimate exchange system administration activity."]
from = "now-9m"
index = [
"logs-endpoint.events.process-*",
"winlogbeat-*",
"logs-windows.*",
"endgame-*",
"logs-system.security*",
"logs-sentinel_one_cloud_funnel.*",
"logs-m365_defender.event-*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -87,8 +88,9 @@ tags = [
"Data Source: Elastic Defend",
"Data Source: SentinelOne",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Crowdstrike",
"Data Source: Sysmon",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/command_and_control_certreq_postdata.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2023/01/13"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/02/03"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -40,15 +40,15 @@ remote URL.
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -119,7 +119,7 @@ tags = [
"Tactic: Exfiltration",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/command_and_control_dns_tunneling_nslookup.toml
+7 -7
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/11"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/10/15"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -14,14 +14,14 @@ may indicate command and control activity utilizing the DNS protocol.
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -72,7 +72,7 @@ tags = [
"Resources: Investigation Guide",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
"Data Source: Sysmon",
rules/windows/command_and_control_headless_browser.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2024/05/10"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2024/10/31"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -14,15 +14,15 @@ may use browsers to avoid ingress tool transfer restrictions.
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -64,7 +64,7 @@ tags = [
"Data Source: Windows",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
"Data Source: Sysmon",
rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
+5 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2023/04/03"
integration = ["endpoint", "windows", "system"]
maturity = "production"
updated_date = "2024/10/28"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -19,7 +19,8 @@ index = [
"logs-endpoint.events.process-*",
"endgame-*",
"winlogbeat-*",
"logs-windows.*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"logs-system.security*",
]
language = "kuery"
@@ -74,7 +75,8 @@ tags = [
"Resources: Investigation Guide",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Sysmon",
]
timestamp_override = "event.ingested"
type = "new_terms"
rules/windows/command_and_control_rdp_tunnel_plink.toml
+14 -3
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende
maturity = "production"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
updated_date = "2024/10/31"
updated_date = "2025/02/21"
[rule]
author = ["Elastic"]
@@ -13,7 +13,17 @@ Identifies potential use of an SSH utility to establish RDP over a reverse SSH T
enable routing of network packets that would otherwise not reach their intended destination.
"""
from = "now-9m"
index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-crowdstrike.fdr*"]
index = [
"endgame-*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
name = "Potential Remote Desktop Tunneling Detected"
@@ -66,8 +76,9 @@ tags = [
"Data Source: Elastic Defend",
"Data Source: SentinelOne",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Crowdstrike",
"Data Source: Sysmon",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml
+13 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/09/03"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/02/03"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -70,7 +70,17 @@ Identifies the desktopimgdownldr utility being used to download a remote file. A
download arbitrary files as an alternative to certutil.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "logs-crowdstrike.fdr*"]
index = [
"endgame-*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
name = "Remote File Download via Desktopimgdownldr Utility"
@@ -144,7 +154,7 @@ tags = [
"Resources: Investigation Guide",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
"Data Source: Sysmon",
rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml
+13 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/09/03"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/02/03"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -67,7 +67,17 @@ providers = [
author = ["Elastic"]
description = "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file."
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "logs-crowdstrike.fdr*"]
index = [
"endgame-*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
name = "Remote File Download via MpCmdRun"
@@ -142,7 +152,7 @@ tags = [
"Resources: Investigation Guide",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/command_and_control_screenconnect_childproc.toml
+12 -3
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende
maturity = "production"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
updated_date = "2025/01/10"
updated_date = "2025/02/21"
[rule]
author = ["Elastic"]
@@ -13,7 +13,16 @@ Identifies suspicious processes being spawned by the ScreenConnect client proces
abusing unauthorized access to the ScreenConnect remote access software.
"""
from = "now-9m"
index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-crowdstrike.fdr*"]
index = [
"endgame-*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-system.security*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
name = "Suspicious ScreenConnect Client Child Process"
@@ -32,7 +41,7 @@ tags = [
"Data Source: Sysmon",
"Data Source: SentinelOne",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Crowdstrike",
]
timestamp_override = "event.ingested"
rules/windows/command_and_control_tool_transfer_via_curl.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2025/02/03"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/02/03"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -13,15 +13,15 @@ Identifies Curl for Windows making an HTTP request. Adversaries could abuse Curl
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -73,7 +73,7 @@ tags = [
"Tactic: Command and Control",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/command_and_control_tunnel_vscode.toml
+12 -3
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende
maturity = "production"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
updated_date = "2025/01/15"
updated_date = "2025/02/21"
[rule]
author = ["Elastic"]
@@ -13,7 +13,16 @@ Detects the execution of the VScode portable binary with the tunnel command line
attempt to establish a remote tunnel session to Github or a remote VScode instance.
"""
from = "now-9m"
index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-crowdstrike.fdr*"]
index = [
"endgame-*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-system.security*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
name = "Attempt to Establish VScode Remote Tunnel"
@@ -34,7 +43,7 @@ tags = [
"Data Source: Sysmon",
"Data Source: SentinelOne",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Crowdstrike",
"Resources: Investigation Guide",
]
rules/windows/credential_access_adidns_wildcard.toml
+3 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2024/03/26"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2025/01/22"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -17,7 +17,7 @@ records contained in the zone, becoming the Man-in-the-Middle and being able to
spoofing.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential ADIDNS Poisoning via Wildcard Record Creation"
@@ -57,7 +57,7 @@ tags = [
"Tactic: Credential Access",
"Data Source: Active Directory",
"Use Case: Active Directory Monitoring",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
rules/windows/credential_access_adidns_wpad_record.toml
+3 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2024/06/03"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2025/01/22"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -14,7 +14,7 @@ Global Query Block List (GQBL) and create a "wpad" record to exploit hosts runni
privilege escalation and lateral movement.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential WPAD Spoofing via DNS Record Creation"
@@ -54,7 +54,7 @@ tags = [
"Tactic: Credential Access",
"Data Source: Active Directory",
"Use Case: Active Directory Monitoring",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
rules/windows/credential_access_bruteforce_admin_account.toml
+3 -11
View File
@@ -2,7 +2,7 @@
creation_date = "2020/08/29"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2025/02/03"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -40,7 +40,7 @@ short time interval. Adversaries will often brute force login attempts across mu
password, in an attempt to gain access to accounts.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"]
index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
language = "eql"
license = "Elastic License v2"
name = "Privileged Account Brute Force"
@@ -96,14 +96,6 @@ This rule identifies potential password guessing/brute force activity from a sin
references = ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625"]
risk_score = 47
rule_id = "f9790abf-bd0c-45f9-8b5f-d0b74015e029"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = [
"Domain: Endpoint",
@@ -111,7 +103,7 @@ tags = [
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Resources: Investigation Guide",
"Data Source: System",
"Data Source: Windows Security Event Logs",
]
type = "eql"
rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml
+3 -11
View File
@@ -2,7 +2,7 @@
creation_date = "2020/08/29"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2025/02/03"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -40,7 +40,7 @@ brute force login attempts across multiple users with a common or known password
accounts.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"]
index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
language = "eql"
license = "Elastic License v2"
name = "Multiple Logon Failure Followed by Logon Success"
@@ -100,14 +100,6 @@ This rule identifies potential password guessing/brute force activity from a sin
references = ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625"]
risk_score = 47
rule_id = "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = [
"Domain: Endpoint",
@@ -115,7 +107,7 @@ tags = [
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Resources: Investigation Guide",
"Data Source: System",
"Data Source: Windows Security Event Logs",
]
type = "eql"
rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml
+3 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/08/29"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2025/02/03"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -40,7 +40,7 @@ Adversaries will often brute force login attempts across multiple users with a c
to gain access to accounts.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"]
index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
language = "eql"
license = "Elastic License v2"
name = "Multiple Logon Failure from the same Source Address"
@@ -117,7 +117,7 @@ tags = [
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Resources: Investigation Guide",
"Data Source: System",
"Data Source: Windows Security Event Logs",
]
type = "eql"
rules/windows/credential_access_cmdline_dump_tool.toml
+7 -7
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/24"
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system"]
maturity = "production"
updated_date = "2024/10/17"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -14,14 +14,14 @@ Identifies the execution of known Windows utilities often abused to dump LSASS m
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -76,7 +76,7 @@ tags = [
"Resources: Investigation Guide",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
"Data Source: Sysmon",
rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/24"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/02/03"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -40,15 +40,15 @@ Those files contain sensitive information including hashed domain and/or local c
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -126,7 +126,7 @@ tags = [
"Tactic: Credential Access",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
"Data Source: Sysmon",
rules/windows/credential_access_dcsync_newterm_subjectuser.toml
+3 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2022/12/19"
integration = ["windows", "system"]
maturity = "production"
updated_date = "2025/01/22"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -14,7 +14,7 @@ can use the DCSync technique to get credential information of individual account
compromising the entire domain.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"]
language = "kuery"
license = "Elastic License v2"
name = "FirstTime Seen Account Performing DCSync"
@@ -91,7 +91,7 @@ tags = [
"Use Case: Active Directory Monitoring",
"Data Source: Active Directory",
"Resources: Investigation Guide",
"Data Source: System",
"Data Source: Windows Security Event Logs",
]
timestamp_override = "event.ingested"
type = "new_terms"
rules/windows/credential_access_dcsync_replication_rights.toml
+3 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2022/02/08"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2025/01/22"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -14,7 +14,7 @@ technique to get credential information of individual accounts or the entire dom
domain.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Credential Access via DCSync"
@@ -92,7 +92,7 @@ tags = [
"Data Source: Active Directory",
"Resources: Investigation Guide",
"Use Case: Active Directory Monitoring",
"Data Source: System",
"Data Source: Windows Security Event Logs",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/credential_access_dcsync_user_backdoor.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2024/07/10"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2025/01/22"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -80,7 +80,7 @@ references = [
risk_score = 47
rule_id = "f8822053-a5d2-46db-8c96-d460b12c36ac"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Data Source: System", "Resources: Investigation Guide"]
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"]
timestamp_override = "event.ingested"
type = "query"
rules/windows/credential_access_disable_kerberos_preauth.toml
+3 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2022/01/24"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2025/01/22"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -14,7 +14,7 @@ GenericWrite/GenericAll rights over the account can maliciously modify these set
cracking attacks such as AS-REP roasting.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
language = "eql"
license = "Elastic License v2"
name = "Kerberos Pre-authentication Disabled for User"
@@ -80,7 +80,7 @@ tags = [
"Resources: Investigation Guide",
"Use Case: Active Directory Monitoring",
"Data Source: Active Directory",
"Data Source: System",
"Data Source: Windows Security Event Logs",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/credential_access_dnsnode_creation.toml
+3 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2024/03/26"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2025/01/22"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -17,7 +17,7 @@ systems that are requested from multiple systems. They can also create specific
such as wpad, for spoofing attacks.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
language = "eql"
license = "Elastic License v2"
name = "Creation of a DNS-Named Record"
@@ -57,7 +57,7 @@ tags = [
"Tactic: Credential Access",
"Data Source: Active Directory",
"Use Case: Active Directory Monitoring",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
rules/windows/credential_access_dollar_account_relay.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2024/07/24"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2025/02/14"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -34,7 +34,7 @@ tags = [
"Data Source: Elastic Defend",
"Data Source: Active Directory",
"Use Case: Active Directory Monitoring",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
rules/windows/credential_access_dump_registry_hives.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/23"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2024/11/02"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -11,15 +11,15 @@ author = ["Elastic"]
description = "Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool."
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -78,7 +78,7 @@ tags = [
"Resources: Investigation Guide",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
"Data Source: Sysmon",
rules/windows/credential_access_iis_connectionstrings_dumping.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2020/08/18"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -15,15 +15,15 @@ password using aspnet_regiis command.
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -43,7 +43,7 @@ tags = [
"Tactic: Credential Access",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/credential_access_ldap_attributes.toml
+3 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2022/11/09"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2025/01/22"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -13,7 +13,7 @@ Identify access to sensitive Active Directory object attributes that contains cr
unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
language = "eql"
license = "Elastic License v2"
name = "Access to a Sensitive LDAP Attribute"
@@ -49,7 +49,7 @@ tags = [
"Tactic: Privilege Escalation",
"Use Case: Active Directory Monitoring",
"Data Source: Active Directory",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
rules/windows/credential_access_lsass_memdump_handle_access.toml
+3 -9
View File
@@ -2,7 +2,7 @@
creation_date = "2022/02/16"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2025/02/03"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -41,7 +41,7 @@ agnostic as it has been validated against a host of various LSASS dump tools suc
Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
language = "eql"
license = "Elastic License v2"
name = "LSASS Memory Dump Handle Access"
@@ -125,12 +125,6 @@ Audit Handle Manipulation (Success,Failure)
```
Also, this event generates only if the objects [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "high"
tags = [
@@ -139,7 +133,7 @@ tags = [
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Resources: Investigation Guide",
"Data Source: System",
"Data Source: Windows Security Event Logs",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2022/04/30"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -14,15 +14,15 @@ An adversary may use this primitive in combination with other techniques to elev
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -43,7 +43,7 @@ tags = [
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/credential_access_saved_creds_vault_winlog.toml
+10 -11
View File
@@ -2,7 +2,7 @@
creation_date = "2022/08/30"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -14,7 +14,7 @@ applications, and networks. An adversary may abuse this to list or dump credenti
saved usernames and passwords. This may also be performed in preparation of lateral movement.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
language = "eql"
license = "Elastic License v2"
name = "Multiple Vault Web Credentials Read"
@@ -24,16 +24,15 @@ references = [
]
risk_score = 47
rule_id = "44fc462c-1159-4fa8-b1b7-9b6296ab4f96"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: System", "Resources: Investigation Guide"]
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Data Source: Windows Security Event Logs",
"Resources: Investigation Guide",
]
type = "eql"
query = '''
rules/windows/credential_access_saved_creds_vaultcmd.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2021/01/19"
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system", "crowdstrike"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -15,15 +15,15 @@ saved usernames and passwords. This may also be performed in preparation of late
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -43,7 +43,7 @@ tags = [
"Tactic: Credential Access",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
+3 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2022/01/27"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2025/01/22"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -14,7 +14,7 @@ SeEnableDelegationPrivilege "user right" enables computer and user accounts to b
abuse this right to compromise Active Directory accounts and elevate their privileges.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"]
language = "kuery"
license = "Elastic License v2"
name = "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User"
@@ -86,7 +86,7 @@ tags = [
"Data Source: Active Directory",
"Resources: Investigation Guide",
"Use Case: Active Directory Monitoring",
"Data Source: System",
"Data Source: Windows Security Event Logs",
]
timestamp_override = "event.ingested"
type = "query"
rules/windows/credential_access_shadow_credentials.toml
+3 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2022/01/26"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2025/01/22"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -20,7 +20,7 @@ false_positives = [
""",
]
from = "now-9m"
index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"]
language = "kuery"
license = "Elastic License v2"
name = "Potential Shadow Credentials added to AD Object"
@@ -95,7 +95,7 @@ tags = [
"Data Source: Active Directory",
"Resources: Investigation Guide",
"Use Case: Active Directory Monitoring",
"Data Source: System",
"Data Source: Windows Security Event Logs",
]
timestamp_override = "event.ingested"
type = "query"
rules/windows/credential_access_spn_attribute_modified.toml
+3 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2022/02/22"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2025/01/22"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -14,7 +14,7 @@ user to configure Service Principle Names (SPNs) so that they can perform Kerber
configure this for legitimate purposes, exposing the account to Kerberoasting.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"]
language = "kuery"
license = "Elastic License v2"
name = "User account exposed to Kerberoasting"
@@ -94,7 +94,7 @@ tags = [
"Data Source: Active Directory",
"Resources: Investigation Guide",
"Use Case: Active Directory Monitoring",
"Data Source: System",
"Data Source: Windows Security Event Logs",
]
timestamp_override = "event.ingested"
type = "query"
rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
+3 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2022/02/16"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2025/01/22"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -14,7 +14,7 @@ attempt to exfiltrate credentials by dumping the Security Account Manager (SAM)
credential access and privileges elevation.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Remote Registry Access via SeBackupPrivilege"
@@ -93,7 +93,7 @@ tags = [
"Resources: Investigation Guide",
"Use Case: Active Directory Monitoring",
"Data Source: Active Directory",
"Data Source: System",
"Data Source: Windows Security Event Logs",
]
type = "eql"
rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2021/12/25"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2024/11/02"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -15,15 +15,15 @@ copy, including sensitive files such as ntds.dit, System Boot Key and browser of
false_positives = ["Legitimate administrative activity related to shadow copies."]
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -103,7 +103,7 @@ tags = [
"Resources: Investigation Guide",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/credential_access_veeam_commands.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2024/03/14"
integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -14,15 +14,15 @@ Credentials to target backups as part of destructive operations such as Ransomwa
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -39,7 +39,7 @@ tags = [
"Tactic: Credential Access",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml
+3 -13
View File
@@ -2,7 +2,7 @@
creation_date = "2021/11/27"
integration = ["windows", "system"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -13,7 +13,7 @@ Identifies the creation of an LSASS process clone via PssCaptureSnapShot where t
process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential LSASS Clone Creation via PssCaptureSnapShot"
@@ -23,16 +23,6 @@ references = [
]
risk_score = 73
rule_id = "a16612dd-b30e-4d41-86a0-ebe70974ec00"
setup = """## Setup
This is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "high"
tags = [
"Domain: Endpoint",
@@ -40,7 +30,7 @@ tags = [
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Data Source: Sysmon",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
rules/windows/credential_access_wbadmin_ntds.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2024/06/05"
integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -14,15 +14,15 @@ groups like Backup Operators can abuse the utility to perform credential access
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -40,7 +40,7 @@ tags = [
"Tactic: Credential Access",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/credential_access_wireless_creds_dumping.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2022/11/01"
integration = ["endpoint", "system", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/02/03"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -37,15 +37,15 @@ author = ["Elastic"]
description = "Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh."
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -107,7 +107,7 @@ tags = [
"Data Source: Elastic Endgame",
"Resources: Investigation Guide",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/02/03"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -37,15 +37,15 @@ author = ["Elastic"]
description = "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection."
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -115,7 +115,7 @@ tags = [
"Data Source: Elastic Endgame",
"Resources: Investigation Guide",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/defense_evasion_audit_policy_disabled_winlog.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2025/01/14"
integration = ["windows", "system"]
maturity = "production"
updated_date = "2025/02/14"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -81,7 +81,7 @@ tags = [
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Resources: Investigation Guide",
"Data Source: System",
"Data Source: Windows Security Event Logs",
]
timestamp_override = "event.ingested"
type = "query"
rules/windows/defense_evasion_clearing_windows_console_history.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2021/11/22"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2024/11/02"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -14,15 +14,15 @@ account to conceal the actions undertaken during an intrusion.
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -75,7 +75,7 @@ tags = [
"Resources: Investigation Guide",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/defense_evasion_clearing_windows_event_logs.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2024/11/02"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -14,15 +14,15 @@ attackers in an attempt to evade detection or destroy forensic evidence on a sys
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -71,7 +71,7 @@ tags = [
"Resources: Investigation Guide",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/defense_evasion_clearing_windows_security_logs.toml
+4 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/12"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2024/10/28"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -13,7 +13,7 @@ Identifies attempts to clear Windows event log stores. This is often done by att
or destroy forensic evidence on a system.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
index = ["winlogbeat-*", "logs-system.security*", "logs-system.system*", "logs-windows.forwarded*"]
language = "kuery"
license = "Elastic License v2"
name = "Windows Event Logs Cleared"
@@ -57,7 +57,8 @@ tags = [
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Resources: Investigation Guide",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Windows System Event Logs",
]
timestamp_override = "event.ingested"
type = "query"
rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2023/01/31"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/02/03"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -33,15 +33,15 @@ allowing the execution of unsigned or self-signed code, threat actors can craft
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -105,7 +105,7 @@ tags = [
"Data Source: Elastic Endgame",
"Resources: Investigation Guide",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/defense_evasion_cve_2020_0601.toml
+3 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/03/19"
integration = ["windows", "system"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -13,7 +13,7 @@ A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) valid
certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a
malicious executable, making it appear the file was from a trusted, legitimate source.
"""
index = ["winlogbeat-*", "logs-windows.*", "logs-system.security*"]
index = ["winlogbeat-*", "logs-windows.forwarded*", "logs-system.security*"]
language = "kuery"
license = "Elastic License v2"
name = "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)"
@@ -26,7 +26,7 @@ tags = [
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Use Case: Vulnerability",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2021/07/20"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2024/11/02"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -14,15 +14,15 @@ directory or process level.
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -91,7 +91,7 @@ tags = [
"Resources: Investigation Guide",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2024/11/02"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -14,15 +14,15 @@ of files created during post-exploitation activities.
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -70,7 +70,7 @@ tags = [
"Data Source: Elastic Endgame",
"Resources: Investigation Guide",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2024/10/31"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -14,15 +14,15 @@ disable the firewall during troubleshooting or to enable network mobility.
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -68,7 +68,7 @@ tags = [
"Resources: Investigation Guide",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2021/07/07"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2024/11/02"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -12,15 +12,15 @@ description = "Identifies use of the Set-MpPreference PowerShell command to disa
false_positives = ["Planned Windows Defender configuration changes."]
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -79,7 +79,7 @@ tags = [
"Resources: Investigation Guide",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/defense_evasion_disabling_windows_logs.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2021/05/06"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2024/11/02"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -14,15 +14,15 @@ attackers in an attempt to evade detection on a system.
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -73,7 +73,7 @@ tags = [
"Resources: Investigation Guide",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2020/08/21"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -14,15 +14,15 @@ compile code after delivery in order to bypass security mechanisms.
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -38,7 +38,7 @@ tags = [
"Tactic: Execution",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2020/10/13"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2024/11/02"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -14,15 +14,15 @@ the Windows Firewall.
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -74,7 +74,7 @@ tags = [
"Resources: Investigation Guide",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2021/07/07"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2024/10/31"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -15,15 +15,15 @@ tool to weaken the host firewall settings.
false_positives = ["Host Windows Firewall planned system administration changes."]
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -70,7 +70,7 @@ tags = [
"Resources: Investigation Guide",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2021/09/08"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -14,15 +14,15 @@ Adversaries may abuse control.exe to proxy execution of malicious code.
"""
from = "now-9m"
index = [
"logs-endpoint.events.process-*",
"winlogbeat-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -39,7 +39,7 @@ tags = [
"Tactic: Execution",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2020/10/13"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/02/03"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -40,15 +40,15 @@ as a defense evasion technique to blend-in malicious activity with legitimate Wi
"""
from = "now-9m"
index = [
"logs-endpoint.events.process-*",
"winlogbeat-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -116,7 +116,7 @@ tags = [
"Tactic: Execution",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2020/03/25"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2024/10/31"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -20,15 +20,15 @@ false_positives = [
]
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -96,7 +96,7 @@ tags = [
"Resources: Investigation Guide",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
+3 -10
View File
@@ -2,7 +2,7 @@
creation_date = "2020/03/25"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -14,20 +14,12 @@ behavior is unusual and is sometimes used by malicious payloads.
"""
false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."]
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*"]
index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*"]
language = "kuery"
license = "Elastic License v2"
name = "Microsoft Build Engine Started by a Script Process"
risk_score = 21
rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "low"
tags = [
"Domain: Endpoint",
@@ -36,6 +28,7 @@ tags = [
"Tactic: Defense Evasion",
"Tactic: Execution",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2020/03/25"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -15,15 +15,15 @@ Instrumentation) subsystem. This behavior is unusual and is sometimes used by ma
false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."]
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -39,7 +39,7 @@ tags = [
"Tactic: Execution",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
+10 -11
View File
@@ -2,7 +2,7 @@
creation_date = "2020/03/25"
integration = ["endpoint", "windows", "system"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -19,21 +19,19 @@ false_positives = [
""",
]
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "logs-system.security*"]
index = [
"logs-endpoint.events.process-*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "kuery"
license = "Elastic License v2"
name = "Microsoft Build Engine Started an Unusual Process"
references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"]
risk_score = 21
rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "low"
tags = [
"Domain: Endpoint",
@@ -42,7 +40,8 @@ tags = [
"Tactic: Defense Evasion",
"Tactic: Execution",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Sysmon",
"Data Source: Windows Security Event Logs",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
rules/windows/defense_evasion_from_unusual_directory.toml
+7 -7
View File
@@ -2,7 +2,7 @@
creation_date = "2020/10/30"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/02/03"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -40,14 +40,14 @@ malware in trusted paths.
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -121,7 +121,7 @@ tags = [
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/defense_evasion_iis_httplogging_disabled.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/14"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2024/11/02"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -14,15 +14,15 @@ access via a webshell or other mechanism can disable HTTP Logging as an effectiv
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -73,7 +73,7 @@ tags = [
"Data Source: Elastic Endgame",
"Resources: Investigation Guide",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/defense_evasion_indirect_exec_forfiles.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2025/02/03"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/02/03"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -14,15 +14,15 @@ a trusted parent process.
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -63,7 +63,7 @@ tags = [
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/defense_evasion_lolbas_win_cdb_utility.toml
+10 -9
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system","sentinel_one_cloud_funnel", "m36
maturity = "production"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
updated_date = "2025/02/14"
updated_date = "2025/02/21"
[rule]
author = ["Elastic"]
@@ -14,13 +14,13 @@ for those instances and where the cdb.exe binary is outside of the normal Window
"""
from = "now-9m"
index = [
"logs-endpoint.events.process-*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-m365_defender.event-*",
"logs-system.security*",
"logs-crowdstrike.fdr*"
"endgame-*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-system.security*",
"logs-windows.sysmon_operational-*",
]
language = "eql"
license = "Elastic License v2"
@@ -40,7 +40,8 @@ tags = [
"Data Source: SentinelOne",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Crowdstrike",
"Resources: Investigation Guide"
"Data Source: Windows Security Event Logs",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
+7 -7
View File
@@ -2,7 +2,7 @@
creation_date = "2020/08/24"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -14,14 +14,14 @@ injection.
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -36,7 +36,7 @@ tags = [
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/defense_evasion_masquerading_trusted_directory.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/18"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -15,15 +15,15 @@ detections allowlisting those folders.
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -38,7 +38,7 @@ tags = [
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2021/10/15"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2024/11/02"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -21,15 +21,15 @@ false_positives = [
]
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -85,7 +85,7 @@ tags = [
"Resources: Investigation Guide",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/defense_evasion_script_via_html_app.toml
+8 -8
View File
@@ -4,7 +4,7 @@ integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"
maturity = "production"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
updated_date = "2025/01/15"
updated_date = "2025/02/21"
[rule]
author = ["Elastic"]
@@ -15,12 +15,12 @@ binaries.
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-windows.*",
"logs-system.security*",
"logs-windows.sysmon_operational-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-m365_defender.event-*"
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -33,11 +33,11 @@ tags = [
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Sysmon",
"Data Source: SentinelOne",
"Data Source: Microsoft Defender for Endpoint",
"Resources: Investigation Guide"
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/defense_evasion_suspicious_certutil_commands.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/02/03"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -41,15 +41,15 @@ data exfiltration.
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -122,7 +122,7 @@ tags = [
"Data Source: Elastic Endgame",
"Resources: Investigation Guide",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/defense_evasion_suspicious_zoom_child_process.toml
+27 -3
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende
maturity = "production"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
updated_date = "2025/02/03"
updated_date = "2025/02/21"
[transform]
[[transform.osquery]]
@@ -39,7 +39,17 @@ A suspicious Zoom child process was detected, which may indicate an attempt to r
such as command line, network connections, file writes and associated file signature details as well.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-crowdstrike.fdr*"]
index = [
"endgame-*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Zoom Child Process"
@@ -97,7 +107,21 @@ This rule identifies a potential malicious process masquerading as `Zoom.exe` or
risk_score = 47
rule_id = "97aba1ef-6034-4bd3-8c1a-1e0996b27afa"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System", "Data Source: Crowdstrike"]
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Tactic: Execution",
"Data Source: Elastic Endgame",
"Resources: Investigation Guide",
"Data Source: Elastic Defend",
"Data Source: SentinelOne",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Windows Security Event Logs",
"Data Source: Crowdstrike",
"Data Source: Sysmon",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/defense_evasion_unusual_system_vp_child_program.toml
+7 -7
View File
@@ -2,7 +2,7 @@
creation_date = "2020/08/19"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -11,14 +11,14 @@ author = ["Elastic"]
description = "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection."
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -33,7 +33,7 @@ tags = [
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/defense_evasion_via_filter_manager.toml
+8 -6
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
integration = ["endpoint", "windows", "m365_defender", "system"]
maturity = "production"
updated_date = "2025/02/03"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -40,12 +40,13 @@ defenses.
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.*",
"endgame-*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-system.security*",
"logs-m365_defender.event-*"
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -114,7 +115,8 @@ tags = [
"Resources: Investigation Guide",
"Data Source: Elastic Defend",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Sysmon",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/defense_evasion_windows_filtering_platform.toml
+3 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2023/12/15"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2025/02/14"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -13,7 +13,7 @@ Identifies multiple Windows Filtering Platform block events and where the proces
security software. Adversaries may add malicious WFP rules to prevent Endpoint security from sending telemetry.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-windows.forwarded*", "logs-system.security*"]
index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Evasion via Windows Filtering Platform"
@@ -49,7 +49,7 @@ tags = [
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Resources: Investigation Guide",
]
type = "eql"
rules/windows/defense_evasion_workfolders_control_execution.toml
+7 -7
View File
@@ -2,7 +2,7 @@
creation_date = "2022/03/02"
integration = ["windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2024/10/31"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -14,14 +14,14 @@ directory. Misuse of Windows Work Folders could indicate malicious activity.
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*"
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -72,7 +72,7 @@ tags = [
"Tactic: Defense Evasion",
"Resources: Investigation Guide",
"Data Source: Elastic Endgame",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/defense_evasion_wsl_child_process.toml
+9 -7
View File
@@ -2,7 +2,7 @@
creation_date = "2023/01/12"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -14,14 +14,15 @@ WSL for Linux to avoid detection.
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -37,11 +38,12 @@ tags = [
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
"Data Source: Crowdstrike",
"Resources: Investigation Guide",
"Data Source: Sysmon",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/defense_evasion_wsl_enabled_via_dism.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2023/01/13"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -14,15 +14,15 @@ WSL for Linux to avoid detection.
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -74,7 +74,7 @@ tags = [
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/defense_evasion_wsl_kalilinux.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2023/01/12"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -14,15 +14,15 @@ Linux to avoid detection.
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -38,7 +38,7 @@ tags = [
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/discovery_adfind_command_activity.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2020/10/19"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2024/11/02"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -15,15 +15,15 @@ observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule
"""
from = "now-9m"
index = [
"logs-endpoint.events.process-*",
"winlogbeat-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -82,7 +82,7 @@ tags = [
"Resources: Investigation Guide",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/discovery_admin_recon.toml
+7 -7
View File
@@ -2,7 +2,7 @@
creation_date = "2020/12/04"
integration = ["endpoint", "windows", "system", "m365_defender", "crowdstrike"]
maturity = "production"
updated_date = "2024/11/02"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -14,13 +14,13 @@ tools.
"""
from = "now-9m"
index = [
"logs-endpoint.events.process-*",
"winlogbeat-*",
"logs-windows.forwarded*",
"endgame-*",
"logs-system.security*",
"logs-m365_defender.event-*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-system.security*",
"logs-windows.forwarded*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -68,7 +68,7 @@ tags = [
"Resources: Investigation Guide",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Crowdstrike",
]
rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2023/01/27"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2024/11/02"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -18,15 +18,15 @@ false_positives = [
]
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -77,7 +77,7 @@ tags = [
"Data Source: Elastic Endgame",
"Resources: Investigation Guide",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
+7 -7
View File
@@ -2,7 +2,7 @@
creation_date = "2022/05/31"
integration = ["endpoint", "windows", "system", "m365_defender", "crowdstrike"]
maturity = "production"
updated_date = "2024/10/31"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -21,14 +21,14 @@ false_positives = [
]
from = "now-9m"
index = [
"winlogbeat-*",
"endgame-*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-m365_defender.event-*",
"logs-crowdstrike.fdr*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -79,7 +79,7 @@ tags = [
"Data Source: Elastic Endgame",
"Resources: Investigation Guide",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: Crowdstrike",
rules/windows/discovery_group_policy_object_discovery.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2023/01/18"
integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -15,15 +15,15 @@ possible methods to escalate privileges or move laterally.
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -71,7 +71,7 @@ tags = [
"Tactic: Discovery",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/discovery_high_number_ad_properties.toml
+3 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2023/01/29"
integration = ["windows", "system"]
maturity = "production"
updated_date = "2025/01/22"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -13,7 +13,7 @@ Identify read access to a high number of Active Directory object attributes. The
help adversaries find vulnerabilities, elevate privileges or collect sensitive information.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"]
index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Access to LDAP Attributes"
@@ -37,7 +37,7 @@ tags = [
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Active Directory",
"Data Source: Windows",
"Resources: Investigation Guide",
rules/windows/discovery_peripheral_device.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/02"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2024/11/02"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -14,15 +14,15 @@ and components connected to a computer system.
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -67,7 +67,7 @@ tags = [
"Resources: Investigation Guide",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/discovery_privileged_localgroup_membership.toml
+3 -9
View File
@@ -4,7 +4,7 @@ integration = ["system", "windows"]
maturity = "production"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
updated_date = "2025/02/03"
updated_date = "2025/02/21"
[transform]
[[transform.osquery]]
@@ -38,7 +38,7 @@ Identifies instances of an unusual process enumerating built-in Windows privileg
Administrators or Remote Desktop users.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"]
language = "kuery"
license = "Elastic License v2"
name = "Enumeration of Privileged Local Groups Membership"
@@ -107,12 +107,6 @@ Audit Security Group Management (Success)
```
Microsoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = [
@@ -121,7 +115,7 @@ tags = [
"Use Case: Threat Detection",
"Tactic: Discovery",
"Resources: Investigation Guide",
"Data Source: System",
"Data Source: Windows Security Event Logs",
]
timestamp_override = "event.ingested"
type = "new_terms"
rules/windows/discovery_whoami_command_activity.toml
+12 -11
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
integration = ["endpoint", "system", "windows", "m365_defender"]
maturity = "production"
updated_date = "2024/10/15"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -19,7 +19,15 @@ false_positives = [
""",
]
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "logs-system.*", "endgame-*", "logs-m365_defender.event-*"]
index = [
"endgame-*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
name = "Whoami Process Activity"
@@ -57,14 +65,6 @@ This rule looks for the execution of the `whoami` utility. Attackers commonly us
"""
risk_score = 21
rule_id = "ef862985-3f13-4262-a686-5f357bbb9bc2"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "low"
tags = [
"Domain: Endpoint",
@@ -75,7 +75,8 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Sysmon",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2020/12/14"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -14,15 +14,15 @@ false_positives = [
]
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -42,7 +42,7 @@ tags = [
"Tactic: Initial Access",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/execution_com_object_xwizard.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2021/01/20"
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system", "crowdstrike"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -15,15 +15,15 @@ run a COM object created in registry to evade defensive counter measures.
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -42,7 +42,7 @@ tags = [
"Tactic: Execution",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/execution_command_shell_started_by_svchost.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/02/03"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -112,7 +112,7 @@ tags = [
"Resources: Investigation Guide",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/execution_enumeration_via_wmiprvse.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2021/01/19"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -14,15 +14,15 @@ Provider Service (WMIPrvSE).
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -37,7 +37,7 @@ tags = [
"Tactic: Execution",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/execution_from_unusual_path_cmdline.toml
+7 -7
View File
@@ -2,7 +2,7 @@
creation_date = "2020/10/30"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/02/03"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -40,14 +40,14 @@ malware in trusted paths.
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -119,7 +119,7 @@ tags = [
"Resources: Investigation Guide",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
rules/windows/execution_initial_access_foxmail_exploit.toml
+10 -10
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m3
maturity = "production"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
updated_date = "2025/01/15"
updated_date = "2025/02/21"
[rule]
author = ["Elastic"]
@@ -15,15 +15,15 @@ a malicious email.
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-windows.*",
"endgame-*",
"logs-system.security*",
"logs-windows.sysmon_operational-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-m365_defender.event-*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-crowdstrike.fdr*"
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -40,12 +40,12 @@ tags = [
"Tactic: Execution",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Elastic Endgame",
"Data Source: SentinelOne",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Crowdstrike",
"Resources: Investigation Guide"
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/execution_mofcomp.toml
+9 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2023/08/23"
integration = ["endpoint", "m365_defender", "system", "crowdstrike"]
maturity = "production"
updated_date = "2025/02/14"
updated_date = "2025/02/21"
[rule]
author = ["Elastic"]
@@ -12,7 +12,13 @@ files to build their own namespaces and classes into the Windows Management Inst
establish persistence using WMI Event Subscription.
"""
from = "now-9m"
index = ["logs-endpoint.events.process-*", "logs-m365_defender.event-*", "endgame-*", "logs-system.security*", "logs-crowdstrike.fdr*"]
index = [
"endgame-*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-system.security*",
]
language = "eql"
license = "Elastic License v2"
name = "Mofcomp Activity"
@@ -27,7 +33,7 @@ tags = [
"Data Source: Elastic Defend",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Elastic Endgame",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Crowdstrike",
"Resources: Investigation Guide",
]
rules/windows/execution_powershell_susp_args_via_winscript.toml
+8 -8
View File
@@ -4,7 +4,7 @@ integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"
maturity = "production"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
updated_date = "2025/01/31"
updated_date = "2025/02/21"
[rule]
author = ["Elastic"]
@@ -13,12 +13,12 @@ Identifies PowerShell.exe or Cmd.exe execution spawning from Windows Script Host
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-windows.*",
"logs-system.security*",
"logs-windows.sysmon_operational-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-m365_defender.event-*"
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -31,11 +31,11 @@ tags = [
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Sysmon",
"Data Source: SentinelOne",
"Data Source: Microsoft Defender for Endpoint",
"Resources: Investigation Guide"
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/execution_suspicious_cmd_wmi.toml
+8 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2020/10/19"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -14,15 +14,15 @@ be indicative of adversary lateral movement.
"""
from = "now-9m"
index = [
"logs-endpoint.events.process-*",
"winlogbeat-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
"logs-system.security*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
@@ -41,7 +41,7 @@ tags = [
"Tactic: Execution",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",

Some files were not shown because too many files have changed in this diff Show More