diff --git a/pyproject.toml b/pyproject.toml index 332cdc3a3..6f045491f 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "0.4.12" +version = "0.4.13" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12" diff --git a/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml b/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml index a8ecc952b..b508ee3bf 100644 --- a/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml +++ b/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/19" integration = ["endpoint", "system"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ tags = [ "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml index 6b8952afb..e0b4e9354 100644 --- a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml +++ b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/12/21" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" [rule] author = ["Elastic"] @@ -15,7 +15,14 @@ access web applications or Internet services as an authenticated user without ne """ false_positives = ["Developers performing browsers plugin or extension debugging."] from = "now-9m" -index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = [ + "auditbeat-*", + "logs-endpoint.events.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", +] language = "eql" license = "Elastic License v2" max_signals = 33 @@ -28,14 +35,6 @@ references = [ ] risk_score = 47 rule_id = "027ff9ea-85e7-42e3-99d2-bbb7069e02eb" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -46,6 +45,8 @@ tags = [ "Tactic: Credential Access", "Data Source: Elastic Defend", "Resources: Investigation Guide", + "Data Source: Windows Security Event Logs", + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/credential_access_forced_authentication_pipes.toml b/rules/cross-platform/credential_access_forced_authentication_pipes.toml index 16098a08a..686388e83 100644 --- a/rules/cross-platform/credential_access_forced_authentication_pipes.toml +++ b/rules/cross-platform/credential_access_forced_authentication_pipes.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/23" integration = ["endpoint", "system"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies a potential forced authentication using related SMB named pipes. Atta authenticate to a host controlled by them to capture hashes or enable relay attacks. """ from = "now-9m" -index = ["logs-endpoint.events.network-*", "logs-system.security-*", "winlogbeat-*"] +index = ["logs-endpoint.events.network-*", "logs-system.security*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Active Directory Forced Authentication from Linux Host - SMB Named Pipes" @@ -50,7 +50,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index 7dc24bab6..2baaf3533 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m3 maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2024/10/31" +updated_date = "2025/02/21" [rule] author = ["Elastic"] @@ -15,14 +15,15 @@ mailbox or archive to a .pst file. Adversaries may target user email to collect false_positives = ["Legitimate exchange system administration activity."] from = "now-9m" index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", "endgame-*", - "logs-system.security*", - "logs-sentinel_one_cloud_funnel.*", - "logs-m365_defender.event-*", "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -87,8 +88,9 @@ tags = [ "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Crowdstrike", + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_certreq_postdata.toml b/rules/windows/command_and_control_certreq_postdata.toml index 479a7d84e..a2a98c6bf 100644 --- a/rules/windows/command_and_control_certreq_postdata.toml +++ b/rules/windows/command_and_control_certreq_postdata.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -40,15 +40,15 @@ remote URL. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -119,7 +119,7 @@ tags = [ "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/command_and_control_dns_tunneling_nslookup.toml b/rules/windows/command_and_control_dns_tunneling_nslookup.toml index 406fca876..3083a7f5f 100644 --- a/rules/windows/command_and_control_dns_tunneling_nslookup.toml +++ b/rules/windows/command_and_control_dns_tunneling_nslookup.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/11" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,14 +14,14 @@ may indicate command and control activity utilizing the DNS protocol. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -72,7 +72,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Sysmon", diff --git a/rules/windows/command_and_control_headless_browser.toml b/rules/windows/command_and_control_headless_browser.toml index 9b3c12096..81abab110 100644 --- a/rules/windows/command_and_control_headless_browser.toml +++ b/rules/windows/command_and_control_headless_browser.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/10" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/31" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,15 +14,15 @@ may use browsers to avoid ingress tool transfer restrictions. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -64,7 +64,7 @@ tags = [ "Data Source: Windows", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Sysmon", diff --git a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml index 3d5a827c1..8e7ba96c2 100644 --- a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml +++ b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/03" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/10/28" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -19,7 +19,8 @@ index = [ "logs-endpoint.events.process-*", "endgame-*", "winlogbeat-*", - "logs-windows.*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", "logs-system.security*", ] language = "kuery" @@ -74,7 +75,8 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", - "Data Source: System", + "Data Source: Windows Security Event Logs", + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/windows/command_and_control_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml index 907df3814..138ce8e3f 100644 --- a/rules/windows/command_and_control_rdp_tunnel_plink.toml +++ b/rules/windows/command_and_control_rdp_tunnel_plink.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2024/10/31" +updated_date = "2025/02/21" [rule] author = ["Elastic"] @@ -13,7 +13,17 @@ Identifies potential use of an SSH utility to establish RDP over a reverse SSH T enable routing of network packets that would otherwise not reach their intended destination. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-crowdstrike.fdr*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", +] language = "eql" license = "Elastic License v2" name = "Potential Remote Desktop Tunneling Detected" @@ -66,8 +76,9 @@ tags = [ "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Crowdstrike", + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index 2b1320865..8bb08c1cf 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -70,7 +70,17 @@ Identifies the desktopimgdownldr utility being used to download a remote file. A download arbitrary files as an alternative to certutil. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "logs-crowdstrike.fdr*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", +] language = "eql" license = "Elastic License v2" name = "Remote File Download via Desktopimgdownldr Utility" @@ -144,7 +154,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Sysmon", diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index 27b528127..2bed2b5a9 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -67,7 +67,17 @@ providers = [ author = ["Elastic"] description = "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "logs-crowdstrike.fdr*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", +] language = "eql" license = "Elastic License v2" name = "Remote File Download via MpCmdRun" @@ -142,7 +152,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/command_and_control_screenconnect_childproc.toml b/rules/windows/command_and_control_screenconnect_childproc.toml index 4e7662b68..25f96b21f 100644 --- a/rules/windows/command_and_control_screenconnect_childproc.toml +++ b/rules/windows/command_and_control_screenconnect_childproc.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/01/10" +updated_date = "2025/02/21" [rule] author = ["Elastic"] @@ -13,7 +13,16 @@ Identifies suspicious processes being spawned by the ScreenConnect client proces abusing unauthorized access to the ScreenConnect remote access software. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-crowdstrike.fdr*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", +] language = "eql" license = "Elastic License v2" name = "Suspicious ScreenConnect Client Child Process" @@ -32,7 +41,7 @@ tags = [ "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" diff --git a/rules/windows/command_and_control_tool_transfer_via_curl.toml b/rules/windows/command_and_control_tool_transfer_via_curl.toml index 143904dea..d155e29c3 100644 --- a/rules/windows/command_and_control_tool_transfer_via_curl.toml +++ b/rules/windows/command_and_control_tool_transfer_via_curl.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/03" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -13,15 +13,15 @@ Identifies Curl for Windows making an HTTP request. Adversaries could abuse Curl """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -73,7 +73,7 @@ tags = [ "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/command_and_control_tunnel_vscode.toml b/rules/windows/command_and_control_tunnel_vscode.toml index 5b2ef1301..1bc611fa8 100644 --- a/rules/windows/command_and_control_tunnel_vscode.toml +++ b/rules/windows/command_and_control_tunnel_vscode.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/02/21" [rule] author = ["Elastic"] @@ -13,7 +13,16 @@ Detects the execution of the VScode portable binary with the tunnel command line attempt to establish a remote tunnel session to Github or a remote VScode instance. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-crowdstrike.fdr*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", +] language = "eql" license = "Elastic License v2" name = "Attempt to Establish VScode Remote Tunnel" @@ -34,7 +43,7 @@ tags = [ "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Crowdstrike", "Resources: Investigation Guide", ] diff --git a/rules/windows/credential_access_adidns_wildcard.toml b/rules/windows/credential_access_adidns_wildcard.toml index 2bf5b07df..9fd97275a 100644 --- a/rules/windows/credential_access_adidns_wildcard.toml +++ b/rules/windows/credential_access_adidns_wildcard.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/22" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -17,7 +17,7 @@ records contained in the zone, becoming the Man-in-the-Middle and being able to spoofing. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Potential ADIDNS Poisoning via Wildcard Record Creation" @@ -57,7 +57,7 @@ tags = [ "Tactic: Credential Access", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/windows/credential_access_adidns_wpad_record.toml b/rules/windows/credential_access_adidns_wpad_record.toml index d0a6b7d80..aefa64bd7 100644 --- a/rules/windows/credential_access_adidns_wpad_record.toml +++ b/rules/windows/credential_access_adidns_wpad_record.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/03" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/22" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,7 +14,7 @@ Global Query Block List (GQBL) and create a "wpad" record to exploit hosts runni privilege escalation and lateral movement. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Potential WPAD Spoofing via DNS Record Creation" @@ -54,7 +54,7 @@ tags = [ "Tactic: Credential Access", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/windows/credential_access_bruteforce_admin_account.toml b/rules/windows/credential_access_bruteforce_admin_account.toml index 4af1d2d80..20b39abf7 100644 --- a/rules/windows/credential_access_bruteforce_admin_account.toml +++ b/rules/windows/credential_access_bruteforce_admin_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -40,7 +40,7 @@ short time interval. Adversaries will often brute force login attempts across mu password, in an attempt to gain access to accounts. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Privileged Account Brute Force" @@ -96,14 +96,6 @@ This rule identifies potential password guessing/brute force activity from a sin references = ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625"] risk_score = 47 rule_id = "f9790abf-bd0c-45f9-8b5f-d0b74015e029" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -111,7 +103,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] type = "eql" diff --git a/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml b/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml index eefeff0cd..1a01a5b16 100644 --- a/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml +++ b/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -40,7 +40,7 @@ brute force login attempts across multiple users with a common or known password accounts. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Multiple Logon Failure Followed by Logon Success" @@ -100,14 +100,6 @@ This rule identifies potential password guessing/brute force activity from a sin references = ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625"] risk_score = 47 rule_id = "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -115,7 +107,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] type = "eql" diff --git a/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml b/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml index f571d5223..e3cf7a78f 100644 --- a/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml +++ b/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -40,7 +40,7 @@ Adversaries will often brute force login attempts across multiple users with a c to gain access to accounts. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Multiple Logon Failure from the same Source Address" @@ -117,7 +117,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] type = "eql" diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml index 75fd74618..96caa2b51 100644 --- a/rules/windows/credential_access_cmdline_dump_tool.toml +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system"] maturity = "production" -updated_date = "2024/10/17" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,14 +14,14 @@ Identifies the execution of known Windows utilities often abused to dump LSASS m """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -76,7 +76,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Sysmon", diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index 509bd4c5b..14e2e20d9 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -40,15 +40,15 @@ Those files contain sensitive information including hashed domain and/or local c """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -126,7 +126,7 @@ tags = [ "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Sysmon", diff --git a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml index 54c0dd437..4c05c46de 100644 --- a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml +++ b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml @@ -2,7 +2,7 @@ creation_date = "2022/12/19" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/01/22" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,7 +14,7 @@ can use the DCSync technique to get credential information of individual account compromising the entire domain. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"] language = "kuery" license = "Elastic License v2" name = "FirstTime Seen Account Performing DCSync" @@ -91,7 +91,7 @@ tags = [ "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Resources: Investigation Guide", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/windows/credential_access_dcsync_replication_rights.toml b/rules/windows/credential_access_dcsync_replication_rights.toml index ba0d89a7f..92a17b401 100644 --- a/rules/windows/credential_access_dcsync_replication_rights.toml +++ b/rules/windows/credential_access_dcsync_replication_rights.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/22" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,7 +14,7 @@ technique to get credential information of individual accounts or the entire dom domain. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Potential Credential Access via DCSync" @@ -92,7 +92,7 @@ tags = [ "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_dcsync_user_backdoor.toml b/rules/windows/credential_access_dcsync_user_backdoor.toml index bdd3afffb..4375ab76d 100644 --- a/rules/windows/credential_access_dcsync_user_backdoor.toml +++ b/rules/windows/credential_access_dcsync_user_backdoor.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/10" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/22" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -80,7 +80,7 @@ references = [ risk_score = 47 rule_id = "f8822053-a5d2-46db-8c96-d460b12c36ac" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Data Source: System", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_disable_kerberos_preauth.toml b/rules/windows/credential_access_disable_kerberos_preauth.toml index 8dd8527b6..94d814c62 100644 --- a/rules/windows/credential_access_disable_kerberos_preauth.toml +++ b/rules/windows/credential_access_disable_kerberos_preauth.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/24" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/22" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,7 +14,7 @@ GenericWrite/GenericAll rights over the account can maliciously modify these set cracking attacks such as AS-REP roasting. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Kerberos Pre-authentication Disabled for User" @@ -80,7 +80,7 @@ tags = [ "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_dnsnode_creation.toml b/rules/windows/credential_access_dnsnode_creation.toml index 8061bf849..4eb3b83a9 100644 --- a/rules/windows/credential_access_dnsnode_creation.toml +++ b/rules/windows/credential_access_dnsnode_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/22" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -17,7 +17,7 @@ systems that are requested from multiple systems. They can also create specific such as wpad, for spoofing attacks. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Creation of a DNS-Named Record" @@ -57,7 +57,7 @@ tags = [ "Tactic: Credential Access", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/windows/credential_access_dollar_account_relay.toml b/rules/windows/credential_access_dollar_account_relay.toml index ba033de13..6e808140f 100644 --- a/rules/windows/credential_access_dollar_account_relay.toml +++ b/rules/windows/credential_access_dollar_account_relay.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/24" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/14" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -34,7 +34,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/windows/credential_access_dump_registry_hives.toml b/rules/windows/credential_access_dump_registry_hives.toml index 940637010..f1ccc8b6b 100644 --- a/rules/windows/credential_access_dump_registry_hives.toml +++ b/rules/windows/credential_access_dump_registry_hives.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/11/02" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -11,15 +11,15 @@ author = ["Elastic"] description = "Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool." from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -78,7 +78,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Sysmon", diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index 412b2224f..3982f2e52 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -15,15 +15,15 @@ password using aspnet_regiis command. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -43,7 +43,7 @@ tags = [ "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/credential_access_ldap_attributes.toml b/rules/windows/credential_access_ldap_attributes.toml index f5aa05988..5dda53662 100644 --- a/rules/windows/credential_access_ldap_attributes.toml +++ b/rules/windows/credential_access_ldap_attributes.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/22" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -13,7 +13,7 @@ Identify access to sensitive Active Directory object attributes that contains cr unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Access to a Sensitive LDAP Attribute" @@ -49,7 +49,7 @@ tags = [ "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/windows/credential_access_lsass_memdump_handle_access.toml b/rules/windows/credential_access_lsass_memdump_handle_access.toml index 572399b56..4a1f3af0b 100644 --- a/rules/windows/credential_access_lsass_memdump_handle_access.toml +++ b/rules/windows/credential_access_lsass_memdump_handle_access.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/16" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -41,7 +41,7 @@ agnostic as it has been validated against a host of various LSASS dump tools suc Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "LSASS Memory Dump Handle Access" @@ -125,12 +125,6 @@ Audit Handle Manipulation (Success,Failure) ``` Also, this event generates only if the object’s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights. - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" tags = [ @@ -139,7 +133,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml index 37dc65a07..990d0407c 100644 --- a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml +++ b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml @@ -2,7 +2,7 @@ creation_date = "2022/04/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,15 +14,15 @@ An adversary may use this primitive in combination with other techniques to elev """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -43,7 +43,7 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/credential_access_saved_creds_vault_winlog.toml b/rules/windows/credential_access_saved_creds_vault_winlog.toml index a1b5ba26f..9e5891452 100644 --- a/rules/windows/credential_access_saved_creds_vault_winlog.toml +++ b/rules/windows/credential_access_saved_creds_vault_winlog.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,7 +14,7 @@ applications, and networks. An adversary may abuse this to list or dump credenti saved usernames and passwords. This may also be performed in preparation of lateral movement. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Multiple Vault Web Credentials Read" @@ -24,16 +24,15 @@ references = [ ] risk_score = 47 rule_id = "44fc462c-1159-4fa8-b1b7-9b6296ab4f96" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: System", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] type = "eql" query = ''' diff --git a/rules/windows/credential_access_saved_creds_vaultcmd.toml b/rules/windows/credential_access_saved_creds_vaultcmd.toml index c9ea2c6fd..ae5484897 100644 --- a/rules/windows/credential_access_saved_creds_vaultcmd.toml +++ b/rules/windows/credential_access_saved_creds_vaultcmd.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -15,15 +15,15 @@ saved usernames and passwords. This may also be performed in preparation of late """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -43,7 +43,7 @@ tags = [ "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml index 66db4bfc4..61855c5b2 100644 --- a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml +++ b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/27" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/22" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,7 +14,7 @@ SeEnableDelegationPrivilege "user right" enables computer and user accounts to b abuse this right to compromise Active Directory accounts and elevate their privileges. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"] language = "kuery" license = "Elastic License v2" name = "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User" @@ -86,7 +86,7 @@ tags = [ "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_shadow_credentials.toml b/rules/windows/credential_access_shadow_credentials.toml index ed983271e..dfb617abe 100644 --- a/rules/windows/credential_access_shadow_credentials.toml +++ b/rules/windows/credential_access_shadow_credentials.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/22" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -20,7 +20,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"] language = "kuery" license = "Elastic License v2" name = "Potential Shadow Credentials added to AD Object" @@ -95,7 +95,7 @@ tags = [ "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_spn_attribute_modified.toml b/rules/windows/credential_access_spn_attribute_modified.toml index 7ca5f4403..6af1a73f9 100644 --- a/rules/windows/credential_access_spn_attribute_modified.toml +++ b/rules/windows/credential_access_spn_attribute_modified.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/22" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/22" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,7 +14,7 @@ user to configure Service Principle Names (SPNs) so that they can perform Kerber configure this for legitimate purposes, exposing the account to Kerberoasting. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"] language = "kuery" license = "Elastic License v2" name = "User account exposed to Kerberoasting" @@ -94,7 +94,7 @@ tags = [ "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml index adf1d67c5..0dea3f19e 100644 --- a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml +++ b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/16" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/22" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,7 +14,7 @@ attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) credential access and privileges elevation. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Remote Registry Access via SeBackupPrivilege" @@ -93,7 +93,7 @@ tags = [ "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] type = "eql" diff --git a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml index e897badcb..66828323b 100644 --- a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml +++ b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml @@ -2,7 +2,7 @@ creation_date = "2021/12/25" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/11/02" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -15,15 +15,15 @@ copy, including sensitive files such as ntds.dit, System Boot Key and browser of false_positives = ["Legitimate administrative activity related to shadow copies."] from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -103,7 +103,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/credential_access_veeam_commands.toml b/rules/windows/credential_access_veeam_commands.toml index bc8c45a30..cc7609557 100644 --- a/rules/windows/credential_access_veeam_commands.toml +++ b/rules/windows/credential_access_veeam_commands.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/14" integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,15 +14,15 @@ Credentials to target backups as part of destructive operations such as Ransomwa """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -39,7 +39,7 @@ tags = [ "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml index f309e291d..7ccc4b488 100644 --- a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml +++ b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml @@ -2,7 +2,7 @@ creation_date = "2021/11/27" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -13,7 +13,7 @@ Identifies the creation of an LSASS process clone via PssCaptureSnapShot where t process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Potential LSASS Clone Creation via PssCaptureSnapShot" @@ -23,16 +23,6 @@ references = [ ] risk_score = 73 rule_id = "a16612dd-b30e-4d41-86a0-ebe70974ec00" -setup = """## Setup - -This is meant to run only on datasources using Windows security event 4688 that captures the process clone creation. - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "high" tags = [ "Domain: Endpoint", @@ -40,7 +30,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/windows/credential_access_wbadmin_ntds.toml b/rules/windows/credential_access_wbadmin_ntds.toml index ae57b9cf4..29b5cd8b8 100644 --- a/rules/windows/credential_access_wbadmin_ntds.toml +++ b/rules/windows/credential_access_wbadmin_ntds.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/05" integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,15 +14,15 @@ groups like Backup Operators can abuse the utility to perform credential access """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -40,7 +40,7 @@ tags = [ "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/credential_access_wireless_creds_dumping.toml b/rules/windows/credential_access_wireless_creds_dumping.toml index 93003d2aa..6a4271c9d 100644 --- a/rules/windows/credential_access_wireless_creds_dumping.toml +++ b/rules/windows/credential_access_wireless_creds_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/01" integration = ["endpoint", "system", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -37,15 +37,15 @@ author = ["Elastic"] description = "Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh." from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -107,7 +107,7 @@ tags = [ "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index 4e6b5dd36..6043131dc 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -37,15 +37,15 @@ author = ["Elastic"] description = "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection." from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -115,7 +115,7 @@ tags = [ "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/defense_evasion_audit_policy_disabled_winlog.toml b/rules/windows/defense_evasion_audit_policy_disabled_winlog.toml index 97b93892d..68b2dd7f3 100644 --- a/rules/windows/defense_evasion_audit_policy_disabled_winlog.toml +++ b/rules/windows/defense_evasion_audit_policy_disabled_winlog.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/14" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/02/14" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -81,7 +81,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/defense_evasion_clearing_windows_console_history.toml b/rules/windows/defense_evasion_clearing_windows_console_history.toml index 49d01e44d..62cef1d7a 100644 --- a/rules/windows/defense_evasion_clearing_windows_console_history.toml +++ b/rules/windows/defense_evasion_clearing_windows_console_history.toml @@ -2,7 +2,7 @@ creation_date = "2021/11/22" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/11/02" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,15 +14,15 @@ account to conceal the actions undertaken during an intrusion. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -75,7 +75,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index a6d317f51..3dfe685d3 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/11/02" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,15 +14,15 @@ attackers in an attempt to evade detection or destroy forensic evidence on a sys """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -71,7 +71,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/defense_evasion_clearing_windows_security_logs.toml b/rules/windows/defense_evasion_clearing_windows_security_logs.toml index 5f4a892c4..c9f9d5418 100644 --- a/rules/windows/defense_evasion_clearing_windows_security_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_security_logs.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/12" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/10/28" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -13,7 +13,7 @@ Identifies attempts to clear Windows event log stores. This is often done by att or destroy forensic evidence on a system. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-system.security*", "logs-system.system*", "logs-windows.forwarded*"] language = "kuery" license = "Elastic License v2" name = "Windows Event Logs Cleared" @@ -57,7 +57,8 @@ tags = [ "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", - "Data Source: System", + "Data Source: Windows Security Event Logs", + "Data Source: Windows System Event Logs", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml b/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml index 57e2b1534..4251115b3 100644 --- a/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml +++ b/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/31" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -33,15 +33,15 @@ allowing the execution of unsigned or self-signed code, threat actors can craft """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -105,7 +105,7 @@ tags = [ "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/defense_evasion_cve_2020_0601.toml b/rules/windows/defense_evasion_cve_2020_0601.toml index 509cd7ecc..5932a2f12 100644 --- a/rules/windows/defense_evasion_cve_2020_0601.toml +++ b/rules/windows/defense_evasion_cve_2020_0601.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/19" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -13,7 +13,7 @@ A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) valid certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. """ -index = ["winlogbeat-*", "logs-windows.*", "logs-system.security*"] +index = ["winlogbeat-*", "logs-windows.forwarded*", "logs-system.security*"] language = "kuery" license = "Elastic License v2" name = "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)" @@ -26,7 +26,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Defense Evasion", "Use Case: Vulnerability", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index 9023dbe12..48eb71e05 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/20" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/11/02" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,15 +14,15 @@ directory or process level. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -91,7 +91,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml index 5d1ac8904..e80066eaf 100644 --- a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/11/02" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,15 +14,15 @@ of files created during post-exploitation activities. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -70,7 +70,7 @@ tags = [ "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index 0e1862097..e25d77c4e 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/31" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,15 +14,15 @@ disable the firewall during troubleshooting or to enable network mobility. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -68,7 +68,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml index 59cfe065b..c58c50f40 100644 --- a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml +++ b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/11/02" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -12,15 +12,15 @@ description = "Identifies use of the Set-MpPreference PowerShell command to disa false_positives = ["Planned Windows Defender configuration changes."] from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -79,7 +79,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/defense_evasion_disabling_windows_logs.toml b/rules/windows/defense_evasion_disabling_windows_logs.toml index 3fd2ea74e..6d36c1335 100644 --- a/rules/windows/defense_evasion_disabling_windows_logs.toml +++ b/rules/windows/defense_evasion_disabling_windows_logs.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/06" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/11/02" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,15 +14,15 @@ attackers in an attempt to evade detection on a system. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -73,7 +73,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index 10ea3f716..7f932ca3d 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,15 +14,15 @@ compile code after delivery in order to bypass security mechanisms. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -38,7 +38,7 @@ tags = [ "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml index 0669884ae..56d52cc81 100644 --- a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/11/02" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,15 +14,15 @@ the Windows Firewall. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -74,7 +74,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml index ff6793391..cc21a55c6 100644 --- a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/31" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -15,15 +15,15 @@ tool to weaken the host firewall settings. false_positives = ["Host Windows Firewall planned system administration changes."] from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -70,7 +70,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml index ed36351cc..24dc8f1e2 100644 --- a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml +++ b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml @@ -2,7 +2,7 @@ creation_date = "2021/09/08" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,15 +14,15 @@ Adversaries may abuse control.exe to proxy execution of malicious code. """ from = "now-9m" index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -39,7 +39,7 @@ tags = [ "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml index c61921b21..56c9510a9 100644 --- a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml +++ b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -40,15 +40,15 @@ as a defense evasion technique to blend-in malicious activity with legitimate Wi """ from = "now-9m" index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -116,7 +116,7 @@ tags = [ "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index 9c2ad28aa..c6ef3c615 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/31" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -20,15 +20,15 @@ false_positives = [ ] from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -96,7 +96,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index 3a6c445fe..c4dd1fecb 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,20 +14,12 @@ behavior is unusual and is sometimes used by malicious payloads. """ false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*"] language = "kuery" license = "Elastic License v2" name = "Microsoft Build Engine Started by a Script Process" risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "low" tags = [ "Domain: Endpoint", @@ -36,6 +28,7 @@ tags = [ "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", + "Data Source: Sysmon", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index acddf3015..b235d0ccc 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -15,15 +15,15 @@ Instrumentation) subsystem. This behavior is unusual and is sometimes used by ma false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -39,7 +39,7 @@ tags = [ "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index 6ea24c21f..bd07774ed 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -19,21 +19,19 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "logs-system.security*"] +index = [ + "logs-endpoint.events.process-*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", +] language = "kuery" license = "Elastic License v2" name = "Microsoft Build Engine Started an Unusual Process" references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"] risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "low" tags = [ "Domain: Endpoint", @@ -42,7 +40,8 @@ tags = [ "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Sysmon", + "Data Source: Windows Security Event Logs", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_from_unusual_directory.toml b/rules/windows/defense_evasion_from_unusual_directory.toml index d947cc914..2ee0007f9 100644 --- a/rules/windows/defense_evasion_from_unusual_directory.toml +++ b/rules/windows/defense_evasion_from_unusual_directory.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -40,14 +40,14 @@ malware in trusted paths. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -121,7 +121,7 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index 70d23d495..0dc795434 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/11/02" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,15 +14,15 @@ access via a webshell or other mechanism can disable HTTP Logging as an effectiv """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -73,7 +73,7 @@ tags = [ "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/defense_evasion_indirect_exec_forfiles.toml b/rules/windows/defense_evasion_indirect_exec_forfiles.toml index bbef73526..e458499fd 100644 --- a/rules/windows/defense_evasion_indirect_exec_forfiles.toml +++ b/rules/windows/defense_evasion_indirect_exec_forfiles.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/03" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,15 +14,15 @@ a trusted parent process. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -63,7 +63,7 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml b/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml index 4c92ba161..bf4b4be6a 100644 --- a/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml +++ b/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system","sentinel_one_cloud_funnel", "m36 maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/14" +updated_date = "2025/02/21" [rule] author = ["Elastic"] @@ -14,13 +14,13 @@ for those instances and where the cdb.exe binary is outside of the normal Window """ from = "now-9m" index = [ - "logs-endpoint.events.process-*", - "logs-windows.sysmon_operational-*", - "endgame-*", - "logs-sentinel_one_cloud_funnel.*", - "logs-m365_defender.event-*", - "logs-system.security*", - "logs-crowdstrike.fdr*" + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.sysmon_operational-*", ] language = "eql" license = "Elastic License v2" @@ -40,7 +40,8 @@ tags = [ "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Crowdstrike", - "Resources: Investigation Guide" + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index e337ec5bd..08fd91506 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,14 +14,14 @@ injection. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -36,7 +36,7 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index 9a4722729..663acbc61 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -15,15 +15,15 @@ detections allowlisting those folders. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -38,7 +38,7 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml index 5d3eefaf5..2521ce2dc 100644 --- a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml +++ b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/15" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/11/02" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -21,15 +21,15 @@ false_positives = [ ] from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -85,7 +85,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/defense_evasion_script_via_html_app.toml b/rules/windows/defense_evasion_script_via_html_app.toml index 4bd1aa2d2..efb57856d 100644 --- a/rules/windows/defense_evasion_script_via_html_app.toml +++ b/rules/windows/defense_evasion_script_via_html_app.toml @@ -4,7 +4,7 @@ integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender" maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/02/21" [rule] author = ["Elastic"] @@ -15,12 +15,12 @@ binaries. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-windows.*", - "logs-system.security*", - "logs-windows.sysmon_operational-*", + "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-m365_defender.event-*" + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -33,11 +33,11 @@ tags = [ "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", - "Resources: Investigation Guide" + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_suspicious_certutil_commands.toml b/rules/windows/defense_evasion_suspicious_certutil_commands.toml index 767843bdc..ae8a631e1 100644 --- a/rules/windows/defense_evasion_suspicious_certutil_commands.toml +++ b/rules/windows/defense_evasion_suspicious_certutil_commands.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -41,15 +41,15 @@ data exfiltration. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -122,7 +122,7 @@ tags = [ "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index a1b084b6e..71b4c64cb 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/03" +updated_date = "2025/02/21" [transform] [[transform.osquery]] @@ -39,7 +39,17 @@ A suspicious Zoom child process was detected, which may indicate an attempt to r such as command line, network connections, file writes and associated file signature details as well. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-crowdstrike.fdr*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", +] language = "eql" license = "Elastic License v2" name = "Suspicious Zoom Child Process" @@ -97,7 +107,21 @@ This rule identifies a potential malicious process masquerading as `Zoom.exe` or risk_score = 47 rule_id = "97aba1ef-6034-4bd3-8c1a-1e0996b27afa" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Windows Security Event Logs", + "Data Source: Crowdstrike", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml index 7a0a00845..b1eadcddb 100644 --- a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml +++ b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -11,14 +11,14 @@ author = ["Elastic"] description = "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection." from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -33,7 +33,7 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml index e37bb6617..8abbc4148 100644 --- a/rules/windows/defense_evasion_via_filter_manager.toml +++ b/rules/windows/defense_evasion_via_filter_manager.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "m365_defender", "system"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -40,12 +40,13 @@ defenses. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", "endgame-*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", "logs-system.security*", - "logs-m365_defender.event-*" + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -114,7 +115,8 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", - "Data Source: System", + "Data Source: Windows Security Event Logs", + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_windows_filtering_platform.toml b/rules/windows/defense_evasion_windows_filtering_platform.toml index 5e393578d..85d7318e9 100644 --- a/rules/windows/defense_evasion_windows_filtering_platform.toml +++ b/rules/windows/defense_evasion_windows_filtering_platform.toml @@ -2,7 +2,7 @@ creation_date = "2023/12/15" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/14" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -13,7 +13,7 @@ Identifies multiple Windows Filtering Platform block events and where the proces security software. Adversaries may add malicious WFP rules to prevent Endpoint security from sending telemetry. """ from = "now-9m" -index = ["winlogbeat-*", "logs-windows.forwarded*", "logs-system.security*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Potential Evasion via Windows Filtering Platform" @@ -49,7 +49,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Resources: Investigation Guide", ] type = "eql" diff --git a/rules/windows/defense_evasion_workfolders_control_execution.toml b/rules/windows/defense_evasion_workfolders_control_execution.toml index 864ff077c..b420a15a1 100644 --- a/rules/windows/defense_evasion_workfolders_control_execution.toml +++ b/rules/windows/defense_evasion_workfolders_control_execution.toml @@ -2,7 +2,7 @@ creation_date = "2022/03/02" integration = ["windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/31" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,14 +14,14 @@ directory. Misuse of Windows Work Folders could indicate malicious activity. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*" + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -72,7 +72,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/defense_evasion_wsl_child_process.toml b/rules/windows/defense_evasion_wsl_child_process.toml index d11044b03..cd43a1c76 100644 --- a/rules/windows/defense_evasion_wsl_child_process.toml +++ b/rules/windows/defense_evasion_wsl_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,14 +14,15 @@ WSL for Linux to avoid detection. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -37,11 +38,12 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide", + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml index 7b04e3b98..d6481083c 100644 --- a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml +++ b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,15 +14,15 @@ WSL for Linux to avoid detection. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -74,7 +74,7 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/defense_evasion_wsl_kalilinux.toml b/rules/windows/defense_evasion_wsl_kalilinux.toml index 620417551..3c99fb560 100644 --- a/rules/windows/defense_evasion_wsl_kalilinux.toml +++ b/rules/windows/defense_evasion_wsl_kalilinux.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,15 +14,15 @@ Linux to avoid detection. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -38,7 +38,7 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index 15cdd0dfb..5f7fdd360 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/11/02" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -15,15 +15,15 @@ observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule """ from = "now-9m" index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -82,7 +82,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index 38dcc3099..c6859be0d 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "system", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2024/11/02" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,13 +14,13 @@ tools. """ from = "now-9m" index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.forwarded*", "endgame-*", - "logs-system.security*", - "logs-m365_defender.event-*", "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-system.security*", + "logs-windows.forwarded*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -68,7 +68,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Crowdstrike", ] diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml index 1bf8ed1f2..fd505cadc 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/27" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/11/02" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -18,15 +18,15 @@ false_positives = [ ] from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -77,7 +77,7 @@ tags = [ "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml index ae7344be0..2ae2c9980 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/31" integration = ["endpoint", "windows", "system", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2024/10/31" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -21,14 +21,14 @@ false_positives = [ ] from = "now-9m" index = [ - "winlogbeat-*", + "endgame-*", + "logs-crowdstrike.fdr*", "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-system.security*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", - "endgame-*", - "logs-system.security*", - "logs-m365_defender.event-*", - "logs-crowdstrike.fdr*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -79,7 +79,7 @@ tags = [ "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: Crowdstrike", diff --git a/rules/windows/discovery_group_policy_object_discovery.toml b/rules/windows/discovery_group_policy_object_discovery.toml index c987105ae..383c06fb8 100644 --- a/rules/windows/discovery_group_policy_object_discovery.toml +++ b/rules/windows/discovery_group_policy_object_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/18" integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -15,15 +15,15 @@ possible methods to escalate privileges or move laterally. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -71,7 +71,7 @@ tags = [ "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/discovery_high_number_ad_properties.toml b/rules/windows/discovery_high_number_ad_properties.toml index cc4f4b7e9..e3f6379ae 100644 --- a/rules/windows/discovery_high_number_ad_properties.toml +++ b/rules/windows/discovery_high_number_ad_properties.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/29" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/01/22" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -13,7 +13,7 @@ Identify read access to a high number of Active Directory object attributes. The help adversaries find vulnerabilities, elevate privileges or collect sensitive information. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Access to LDAP Attributes" @@ -37,7 +37,7 @@ tags = [ "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Active Directory", "Data Source: Windows", "Resources: Investigation Guide", diff --git a/rules/windows/discovery_peripheral_device.toml b/rules/windows/discovery_peripheral_device.toml index e937e65c4..91b672472 100644 --- a/rules/windows/discovery_peripheral_device.toml +++ b/rules/windows/discovery_peripheral_device.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/02" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/11/02" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,15 +14,15 @@ and components connected to a computer system. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -67,7 +67,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/discovery_privileged_localgroup_membership.toml b/rules/windows/discovery_privileged_localgroup_membership.toml index fcfdac27d..971ad80dd 100644 --- a/rules/windows/discovery_privileged_localgroup_membership.toml +++ b/rules/windows/discovery_privileged_localgroup_membership.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/03" +updated_date = "2025/02/21" [transform] [[transform.osquery]] @@ -38,7 +38,7 @@ Identifies instances of an unusual process enumerating built-in Windows privileg Administrators or Remote Desktop users. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"] language = "kuery" license = "Elastic License v2" name = "Enumeration of Privileged Local Groups Membership" @@ -107,12 +107,6 @@ Audit Security Group Management (Success) ``` Microsoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems. - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" tags = [ @@ -121,7 +115,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index 63ecd705b..0ec10e460 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "system", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -19,7 +19,15 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "logs-system.*", "endgame-*", "logs-m365_defender.event-*"] +index = [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", +] language = "eql" license = "Elastic License v2" name = "Whoami Process Activity" @@ -57,14 +65,6 @@ This rule looks for the execution of the `whoami` utility. Attackers commonly us """ risk_score = 21 rule_id = "ef862985-3f13-4262-a686-5f357bbb9bc2" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "low" tags = [ "Domain: Endpoint", @@ -75,7 +75,8 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", - "Data Source: System", + "Data Source: Windows Security Event Logs", + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml index 23a89fc7e..3cc541369 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,15 +14,15 @@ false_positives = [ ] from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -42,7 +42,7 @@ tags = [ "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/execution_com_object_xwizard.toml b/rules/windows/execution_com_object_xwizard.toml index 337780fa2..5ae3834e2 100644 --- a/rules/windows/execution_com_object_xwizard.toml +++ b/rules/windows/execution_com_object_xwizard.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -15,15 +15,15 @@ run a COM object created in registry to evade defensive counter measures. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -42,7 +42,7 @@ tags = [ "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index 9667acc40..00d3e9316 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -112,7 +112,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index 8fc3bdbc5..89da740cd 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,15 +14,15 @@ Provider Service (WMIPrvSE). """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -37,7 +37,7 @@ tags = [ "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index aedb2c970..efa858c22 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -40,14 +40,14 @@ malware in trusted paths. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -119,7 +119,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/execution_initial_access_foxmail_exploit.toml b/rules/windows/execution_initial_access_foxmail_exploit.toml index d5253617a..b84a03613 100644 --- a/rules/windows/execution_initial_access_foxmail_exploit.toml +++ b/rules/windows/execution_initial_access_foxmail_exploit.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m3 maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/02/21" [rule] author = ["Elastic"] @@ -15,15 +15,15 @@ a malicious email. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-windows.*", "endgame-*", - "logs-system.security*", - "logs-windows.sysmon_operational-*", - "logs-sentinel_one_cloud_funnel.*", - "logs-m365_defender.event-*", + "logs-crowdstrike.fdr*", "logs-endpoint.events.process-*", - "logs-crowdstrike.fdr*" + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -40,12 +40,12 @@ tags = [ "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Elastic Endgame", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Crowdstrike", - "Resources: Investigation Guide" + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_mofcomp.toml b/rules/windows/execution_mofcomp.toml index 04a284194..a20ec6e9a 100644 --- a/rules/windows/execution_mofcomp.toml +++ b/rules/windows/execution_mofcomp.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/02/14" +updated_date = "2025/02/21" [rule] author = ["Elastic"] @@ -12,7 +12,13 @@ files to build their own namespaces and classes into the Windows Management Inst establish persistence using WMI Event Subscription. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "logs-m365_defender.event-*", "endgame-*", "logs-system.security*", "logs-crowdstrike.fdr*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Mofcomp Activity" @@ -27,7 +33,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Data Source: Elastic Endgame", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Crowdstrike", "Resources: Investigation Guide", ] diff --git a/rules/windows/execution_powershell_susp_args_via_winscript.toml b/rules/windows/execution_powershell_susp_args_via_winscript.toml index 0cf4c8ebe..f047239b7 100644 --- a/rules/windows/execution_powershell_susp_args_via_winscript.toml +++ b/rules/windows/execution_powershell_susp_args_via_winscript.toml @@ -4,7 +4,7 @@ integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender" maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/01/31" +updated_date = "2025/02/21" [rule] author = ["Elastic"] @@ -13,12 +13,12 @@ Identifies PowerShell.exe or Cmd.exe execution spawning from Windows Script Host """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-windows.*", - "logs-system.security*", - "logs-windows.sysmon_operational-*", + "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-m365_defender.event-*" + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -31,11 +31,11 @@ tags = [ "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", - "Resources: Investigation Guide" + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index 5e303c492..1e94cbd2b 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,15 +14,15 @@ be indicative of adversary lateral movement. """ from = "now-9m" index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -41,7 +41,7 @@ tags = [ "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index bc5b378da..20a79ff7b 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/31" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,15 +14,15 @@ exploitation of PDF applications or social engineering. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -87,7 +87,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index a00f339ed..7e4d4e631 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -48,15 +48,15 @@ false_positives = [ ] from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -129,7 +129,7 @@ tags = [ "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/execution_via_mmc_console_file_unusual_path.toml b/rules/windows/execution_via_mmc_console_file_unusual_path.toml index 4332f536c..3dbd41d9e 100644 --- a/rules/windows/execution_via_mmc_console_file_unusual_path.toml +++ b/rules/windows/execution_via_mmc_console_file_unusual_path.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/02/21" [rule] author = ["Elastic"] @@ -13,7 +13,17 @@ Identifies attempts to open a Microsoft Management Console File from untrusted p MSC files for initial access and execution. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-crowdstrike.fdr*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", +] language = "eql" license = "Elastic License v2" name = "Microsoft Management Console File from Unusual Path" @@ -30,9 +40,10 @@ tags = [ "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Crowdstrike", "Resources: Investigation Guide", + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_windows_cmd_shell_susp_args.toml b/rules/windows/execution_windows_cmd_shell_susp_args.toml index 5a88fc403..b3c492dad 100644 --- a/rules/windows/execution_windows_cmd_shell_susp_args.toml +++ b/rules/windows/execution_windows_cmd_shell_susp_args.toml @@ -4,7 +4,7 @@ integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender" maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/02/21" [rule] author = ["Elastic"] @@ -14,12 +14,12 @@ often observed during malware installation. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-windows.*", - "logs-system.security*", - "logs-windows.sysmon_operational-*", + "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-m365_defender.event-*" + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -32,11 +32,11 @@ tags = [ "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", - "Resources: Investigation Guide" + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_windows_powershell_susp_args.toml b/rules/windows/execution_windows_powershell_susp_args.toml index ae2af935e..243c923f9 100644 --- a/rules/windows/execution_windows_powershell_susp_args.toml +++ b/rules/windows/execution_windows_powershell_susp_args.toml @@ -4,7 +4,7 @@ integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender" maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/02/21" [rule] author = ["Elastic"] @@ -14,13 +14,13 @@ installation leveraging PowerShell. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-windows.*", - "logs-system.security*", - "logs-windows.sysmon_operational-*", - "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", "logs-m365_defender.event-*", - "logs-crowdstrike.fdr*" + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -33,12 +33,12 @@ tags = [ "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Crowdstrike", - "Resources: Investigation Guide" + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml index d272c7bdd..ef7a9c714 100644 --- a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/11/02" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,15 +14,15 @@ system recovery. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -77,7 +77,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/impact_modification_of_boot_config.toml b/rules/windows/impact_modification_of_boot_config.toml index 94b55e8ed..ca19fcf0a 100644 --- a/rules/windows/impact_modification_of_boot_config.toml +++ b/rules/windows/impact_modification_of_boot_config.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/16" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/11/02" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,15 +14,15 @@ attacker as a destructive technique. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -77,7 +77,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/impact_stop_process_service_threshold.toml b/rules/windows/impact_stop_process_service_threshold.toml index f73fa9494..e0b021c71 100644 --- a/rules/windows/impact_stop_process_service_threshold.toml +++ b/rules/windows/impact_stop_process_service_threshold.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system"] min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" maturity = "production" -updated_date = "2024/09/28" +updated_date = "2025/02/21" [rule] author = ["Elastic"] @@ -14,11 +14,12 @@ short time period. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", "endgame-*", + "logs-endpoint.events.process-*", "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "kuery" license = "Elastic License v2" @@ -66,7 +67,8 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Sysmon", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "threshold" diff --git a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml index 6701f91be..9e46ab442 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/11/02" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,15 +14,15 @@ ransomware or other destructive attacks. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -95,7 +95,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml index 2a67ef13d..7128d3f97 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/31" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,15 +14,15 @@ occurs in tandem with ransomware or other destructive attacks. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -100,7 +100,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml index 38116973a..69440e7f1 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/11/02" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,15 +14,15 @@ other destructive attacks. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -96,7 +96,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/initial_access_execution_from_inetcache.toml b/rules/windows/initial_access_execution_from_inetcache.toml index b82f05ddd..c0d363686 100644 --- a/rules/windows/initial_access_execution_from_inetcache.toml +++ b/rules/windows/initial_access_execution_from_inetcache.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,15 +14,15 @@ content via WININET during initial access. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -41,7 +41,7 @@ tags = [ "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml index 70c97bfab..e5635dbfb 100644 --- a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml +++ b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -20,14 +20,14 @@ false_positives = [ ] from = "now-9m" index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -47,7 +47,7 @@ tags = [ "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Sysmon", "Data Source: SentinelOne", "Resources: Investigation Guide", diff --git a/rules/windows/initial_access_rdp_file_mail_attachment.toml b/rules/windows/initial_access_rdp_file_mail_attachment.toml index b0ddbfd18..f0bf748de 100644 --- a/rules/windows/initial_access_rdp_file_mail_attachment.toml +++ b/rules/windows/initial_access_rdp_file_mail_attachment.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/05" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -13,14 +13,14 @@ Identifies attempts to open a remote desktop file from suspicious paths. Adversa """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -41,7 +41,7 @@ tags = [ "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/initial_access_suspicious_ms_exchange_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_process.toml index 23a6f57b7..2ab66ef37 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_process.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/04" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -20,15 +20,15 @@ false_positives = [ ] from = "now-9m" index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -49,7 +49,7 @@ tags = [ "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index f15c52647..98c8386fb 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/31" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -15,15 +15,15 @@ macros. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -89,7 +89,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index c0010f765..d55d70ce6 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m3 maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2024/10/31" +updated_date = "2025/02/21" [rule] author = ["Elastic"] @@ -13,7 +13,17 @@ Identifies suspicious child processes of Microsoft Outlook. These child processe phishing activity. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-crowdstrike.fdr*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", +] language = "eql" license = "Elastic License v2" name = "Suspicious MS Outlook Child Process" @@ -67,7 +77,22 @@ This rule looks for suspicious processes spawned by MS Outlook, which can be the risk_score = 21 rule_id = "32f4675e-6c49-4ace-80f9-97c9259dca2e" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Windows Security Event Logs", + "Data Source: Crowdstrike", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/initial_access_webshell_screenconnect_server.toml b/rules/windows/initial_access_webshell_screenconnect_server.toml index 825813db7..c3bce1a87 100644 --- a/rules/windows/initial_access_webshell_screenconnect_server.toml +++ b/rules/windows/initial_access_webshell_screenconnect_server.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,15 +14,15 @@ activity may indicate exploitation activity or access to an existing web shell b """ from = "now-9m" index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -40,7 +40,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/lateral_movement_alternate_creds_pth.toml b/rules/windows/lateral_movement_alternate_creds_pth.toml index 07634e0f4..2416c2c89 100644 --- a/rules/windows/lateral_movement_alternate_creds_pth.toml +++ b/rules/windows/lateral_movement_alternate_creds_pth.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/29" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,7 +14,7 @@ system access controls. Pass the hash (PtH) is a method of authenticating as a u cleartext password. """ from = "now-9m" -index = ["winlogbeat-*", "logs-windows.*", "logs-system.security*"] +index = ["winlogbeat-*", "logs-windows.forwarded*", "logs-system.security*"] language = "kuery" license = "Elastic License v2" name = "Potential Pass-the-Hash (PtH) Attempt" @@ -22,7 +22,7 @@ references = ["https://attack.mitre.org/techniques/T1550/002/"] risk_score = 47 rule_id = "daafdf96-e7b1-4f14-b494-27e0d24b11f6" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: System", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml index a395ee0cc..fefd0ad1a 100644 --- a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml +++ b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/11" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,15 +14,15 @@ indicate a lateral movement attempt. """ from = "now-9m" index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -41,7 +41,7 @@ tags = [ "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml index 281a95b83..3489b44f5 100644 --- a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml +++ b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/02" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,15 +14,15 @@ preparation for data exfiltration. """ from = "now-9m" index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -38,7 +38,7 @@ tags = [ "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index 3a97c0d49..31ed56556 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,15 +14,15 @@ activity. """ from = "now-9m" index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -38,7 +38,7 @@ tags = [ "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/lateral_movement_remote_service_installed_winlog.toml b/rules/windows/lateral_movement_remote_service_installed_winlog.toml index e0677bd80..b06572fd2 100644 --- a/rules/windows/lateral_movement_remote_service_installed_winlog.toml +++ b/rules/windows/lateral_movement_remote_service_installed_winlog.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -13,7 +13,7 @@ Identifies a network logon followed by Windows service creation with same LogonI movement, but will be noisy if commonly done by administrators." """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Remote Windows Service Installed" @@ -26,7 +26,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Resources: Investigation Guide", ] type = "eql" diff --git a/rules/windows/lateral_movement_remote_task_creation_winlog.toml b/rules/windows/lateral_movement_remote_task_creation_winlog.toml index e27e3cd3c..cc727f02a 100644 --- a/rules/windows/lateral_movement_remote_task_creation_winlog.toml +++ b/rules/windows/lateral_movement_remote_task_creation_winlog.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/17" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -10,7 +10,7 @@ min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." author = ["Elastic"] description = "Identifies scheduled task creation from a remote source. This could be indicative of adversary lateral movement.\n" from = "now-9m" -index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Remote Scheduled Task Creation via RPC" @@ -46,7 +46,14 @@ note = """## Triage and analysis risk_score = 47 rule_id = "9c865691-5599-447a-bac9-b3f2df5f9a9d" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: System", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_unusual_dns_service_children.toml b/rules/windows/lateral_movement_unusual_dns_service_children.toml index 6143e0db2..805ca9ee9 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_children.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_children.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/31" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -21,15 +21,15 @@ false_positives = [ ] from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -88,7 +88,7 @@ tags = [ "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/lateral_movement_via_wsus_update.toml b/rules/windows/lateral_movement_via_wsus_update.toml index 5ee82d8b5..0b3bbc358 100644 --- a/rules/windows/lateral_movement_via_wsus_update.toml +++ b/rules/windows/lateral_movement_via_wsus_update.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system","sentinel_one_cloud_funnel", "m36 maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/14" +updated_date = "2025/02/21" [rule] author = ["Elastic"] @@ -14,7 +14,16 @@ WSUS is limited to executing Microsoft signed binaries, which limits the executa by Microsoft. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-system.security*", "winlogbeat-*", "logs-crowdstrike.fdr*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", +] language = "eql" license = "Elastic License v2" name = "Potential WSUS Abuse for Lateral Movement" @@ -32,7 +41,7 @@ tags = [ "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Crowdstrike", "Resources: Investigation Guide", ] diff --git a/rules/windows/persistence_ad_adminsdholder.toml b/rules/windows/persistence_ad_adminsdholder.toml index 1c76f19a1..dd5de2c05 100644 --- a/rules/windows/persistence_ad_adminsdholder.toml +++ b/rules/windows/persistence_ad_adminsdholder.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/31" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/22" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -16,7 +16,7 @@ the protected accounts and groups are reset to match those of the domain's Admin Administrative Privileges. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"] language = "kuery" license = "Elastic License v2" name = "AdminSDHolder Backdoor" @@ -34,7 +34,7 @@ tags = [ "Tactic: Persistence", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/windows/persistence_dontexpirepasswd_account.toml b/rules/windows/persistence_dontexpirepasswd_account.toml index 9356aa5d9..e5bbdceaf 100644 --- a/rules/windows/persistence_dontexpirepasswd_account.toml +++ b/rules/windows/persistence_dontexpirepasswd_account.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/22" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/12" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -22,7 +22,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Account Configured with Never-Expiring Password" @@ -72,7 +72,7 @@ tags = [ "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_group_modification_by_system.toml b/rules/windows/persistence_group_modification_by_system.toml index f2ccb9cea..af54846d0 100644 --- a/rules/windows/persistence_group_modification_by_system.toml +++ b/rules/windows/persistence_group_modification_by_system.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,7 +14,7 @@ that the attacker has achieved SYSTEM privileges in a domain controller, which a vulnerabilities or abusing default group privileges (e.g., Server Operators), and is attempting to pivot to a domain account. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Active Directory Group Modification by SYSTEM" @@ -28,7 +28,7 @@ tags = [ "Tactic: Persistence", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml index 8d9f0243a..fb537f2b6 100644 --- a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml +++ b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/27" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/22" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -13,7 +13,7 @@ Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. maintain persistence to the domain by having the ability to request tickets for the KRBTGT service. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "KRBTGT Delegation Backdoor" @@ -47,7 +47,7 @@ tags = [ "Tactic: Persistence", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml index f5f4de86e..d43d6d668 100644 --- a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml +++ b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -15,15 +15,15 @@ Adversaries may target user email to collect sensitive information. false_positives = ["Legitimate exchange system administration activity."] from = "now-9m" index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -43,7 +43,7 @@ tags = [ "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/persistence_remote_password_reset.toml b/rules/windows/persistence_remote_password_reset.toml index bf4d87a54..a60cd2a8e 100644 --- a/rules/windows/persistence_remote_password_reset.toml +++ b/rules/windows/persistence_remote_password_reset.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/18" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,7 +14,7 @@ passwords to maintain access or evade password duration policies and preserve co """ false_positives = ["Legitimate remote account administration."] from = "now-9m" -index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Account Password Reset Remotely" @@ -71,7 +71,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Impact", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Resources: Investigation Guide", ] type = "eql" diff --git a/rules/windows/persistence_scheduled_task_creation_winlog.toml b/rules/windows/persistence_scheduled_task_creation_winlog.toml index 0fc48132d..8c9afca38 100644 --- a/rules/windows/persistence_scheduled_task_creation_winlog.toml +++ b/rules/windows/persistence_scheduled_task_creation_winlog.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,7 +14,7 @@ move laterally, and/or escalate privileges. """ false_positives = ["Legitimate scheduled tasks may be created during installation of new software."] from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "A scheduled task was created" @@ -22,7 +22,14 @@ references = ["https://docs.microsoft.com/en-us/windows/security/threat-protecti risk_score = 21 rule_id = "92a6faf5-78ec-4e25-bea1-73bacc9b59d9" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: System", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_scheduled_task_updated.toml b/rules/windows/persistence_scheduled_task_updated.toml index 965fe695e..5efd12e48 100644 --- a/rules/windows/persistence_scheduled_task_updated.toml +++ b/rules/windows/persistence_scheduled_task_updated.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -15,7 +15,7 @@ common and may may generate noise. """ false_positives = ["Legitimate scheduled tasks may be created during installation of new software."] from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "A scheduled task was updated" @@ -23,7 +23,14 @@ references = ["https://docs.microsoft.com/en-us/windows/security/threat-protecti risk_score = 47 rule_id = "a02cb68e-7c93-48d1-93b2-2c39023308eb" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: System", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml index d3d7f4429..b250f6fd2 100644 --- a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml +++ b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/24" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/22" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -17,7 +17,7 @@ remain unchanged. Attackers can abuse this misconfiguration to maintain long-ter groups. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "AdminSDHolder SDProp Exclusion Added" @@ -79,12 +79,6 @@ Audit Policies > DS Access > Audit Directory Service Changes (Success) ``` - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" tags = [ @@ -95,7 +89,7 @@ tags = [ "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_service_windows_service_winlog.toml b/rules/windows/persistence_service_windows_service_winlog.toml index 67a7a7406..dde825ba0 100644 --- a/rules/windows/persistence_service_windows_service_winlog.toml +++ b/rules/windows/persistence_service_windows_service_winlog.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -51,7 +51,7 @@ Identifies the creation of a new Windows service with suspicious Service command as SYSTEM and can be used for privilege escalation and persistence. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["logs-system.security*", "logs-system.system*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Service was Installed in the System" @@ -105,7 +105,8 @@ tags = [ "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", - "Data Source: System", + "Data Source: Windows Security Event Logs", + "Data Source: Windows System Event Logs", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml index 299d5b21d..ddea5aed9 100644 --- a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml +++ b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/11/19" -integration = ["endpoint", "windows"] +integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -11,7 +11,7 @@ author = ["Elastic"] description = "Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage." false_positives = ["Legitimate scheduled tasks running third party software."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*"] +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Execution via Scheduled Task" @@ -20,14 +20,6 @@ references = [ ] risk_score = 47 rule_id = "5d1d6907-0747-4d5d-9b24-e4a18853dc0a" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index 46d810c77..2e166e46f 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m3 maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/03" +updated_date = "2025/02/21" [transform] [[transform.osquery]] @@ -34,7 +34,17 @@ Windows services typically run as SYSTEM and can be used as a privilege escalati testers may run a shell as a service to gain SYSTEM permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-crowdstrike.fdr*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", +] language = "eql" license = "Elastic License v2" name = "System Shells via Services" @@ -81,7 +91,21 @@ This rule looks for system shells being spawned by `services.exe`, which is comp risk_score = 47 rule_id = "0022d47d-39c7-4f69-a232-4fe9dc7a3acd" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Windows Security Event Logs", + "Data Source: Crowdstrike", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_temp_scheduled_task.toml b/rules/windows/persistence_temp_scheduled_task.toml index cb6d8198c..968148866 100644 --- a/rules/windows/persistence_temp_scheduled_task.toml +++ b/rules/windows/persistence_temp_scheduled_task.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,7 +14,7 @@ malicious execution via the schedule service and perform clean up. """ false_positives = ["Legitimate scheduled tasks may be created during installation of new software."] from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Temporarily Scheduled Task Creation" @@ -28,7 +28,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Resources: Investigation Guide", ] type = "eql" diff --git a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml index eb07058b0..7b45616a7 100644 --- a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml +++ b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,7 +14,7 @@ Directory are those to which powerful rights, privileges, and permissions are gr any action in Active Directory and on domain-joined systems. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "User Added to Privileged Group" @@ -52,14 +52,6 @@ references = [ ] risk_score = 47 rule_id = "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -69,7 +61,7 @@ tags = [ "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index 57e2251e1..dc9761a25 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/11/02" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,15 +14,15 @@ on a system or domain. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -71,7 +71,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/persistence_user_account_creation_event_logs.toml b/rules/windows/persistence_user_account_creation_event_logs.toml index 745c43fab..39e50dc0b 100644 --- a/rules/windows/persistence_user_account_creation_event_logs.toml +++ b/rules/windows/persistence_user_account_creation_event_logs.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/04" integration = ["system", "windows"] maturity = "development" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -19,14 +19,14 @@ false_positives = [ behavior is causing false positives, it can be exempted from the rule. """, ] -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"] language = "kuery" license = "Elastic License v2" name = "Windows User Account Creation" risk_score = 21 rule_id = "38e17753-f581-4644-84da-0d60a8318694" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: System", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index c793e24f1..96d9b8692 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -15,15 +15,15 @@ code execution in legitimate Windows processes. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -38,7 +38,7 @@ tags = [ "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml index de038724d..842735327 100644 --- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,15 +14,15 @@ integrity level of system. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -39,7 +39,7 @@ tags = [ "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index 4a5ef747b..d13d6375a 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -40,14 +40,14 @@ level of SYSTEM. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -120,6 +120,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", + "Data Source: Windows Security Event Logs", "Data Source: SentinelOne", ] timestamp_override = "event.ingested" diff --git a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml index 4c823fbb7..43ae1cc41 100644 --- a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml +++ b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -15,15 +15,15 @@ event and execute arbitrary code when that event occurs, providing persistence o """ from = "now-9m" index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -40,7 +40,7 @@ tags = [ "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml index bd55c8978..dd9983e07 100644 --- a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/11/02" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,15 +14,15 @@ using xp_cmdshell, which is disabled by default, thus, it's important to review """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -72,7 +72,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index 209b157eb..4178b2f64 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m3 maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2024/11/02" +updated_date = "2025/02/21" [rule] author = ["Elastic"] @@ -16,7 +16,16 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-crowdstrike.fdr*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", +] language = "eql" license = "Elastic License v2" name = "Web Shell Detection: Script Process Child of Common Web Processes" @@ -71,7 +80,22 @@ references = [ risk_score = 73 rule_id = "2917d495-59bd-4250-b395-c29409b76086" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Initial Access", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: Crowdstrike", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_create_process_as_different_user.toml b/rules/windows/privilege_escalation_create_process_as_different_user.toml index ac063ad60..319ad4396 100644 --- a/rules/windows/privilege_escalation_create_process_as_different_user.toml +++ b/rules/windows/privilege_escalation_create_process_as_different_user.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -13,7 +13,7 @@ Identifies process creation with alternate credentials. Adversaries may create a escalate privileges and bypass access controls. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Process Creation via Secondary Logon" @@ -23,15 +23,16 @@ rule_id = "42eeee3d-947f-46d3-a14d-7036b962c266" setup = """## Setup Audit events 4624 and 4688 are needed to trigger this rule. - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: System", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] type = "eql" query = ''' diff --git a/rules/windows/privilege_escalation_credroaming_ldap.toml b/rules/windows/privilege_escalation_credroaming_ldap.toml index 6e2c1d046..077e04609 100644 --- a/rules/windows/privilege_escalation_credroaming_ldap.toml +++ b/rules/windows/privilege_escalation_credroaming_ldap.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/22" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -15,7 +15,7 @@ contains binary large objects (BLOBs) of encrypted credential objects from the c certificates, and certificate requests. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"] language = "kuery" license = "Elastic License v2" name = "Modification of the msPKIAccountCredentials" @@ -50,7 +50,7 @@ tags = [ "Data Source: Active Directory", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/windows/privilege_escalation_group_policy_iniscript.toml b/rules/windows/privilege_escalation_group_policy_iniscript.toml index 47d409974..5fc487de6 100644 --- a/rules/windows/privilege_escalation_group_policy_iniscript.toml +++ b/rules/windows/privilege_escalation_group_policy_iniscript.toml @@ -2,7 +2,7 @@ creation_date = "2021/11/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -10,7 +10,7 @@ min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." author = ["Elastic"] description = "Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects." false_positives = ["Legitimate Administrative Activity"] -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Startup/Logon Script added to Group Policy Object" @@ -93,7 +93,7 @@ tags = [ "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml index 4402909df..7caac286a 100644 --- a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml +++ b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml @@ -2,7 +2,7 @@ creation_date = "2021/11/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -12,7 +12,7 @@ description = """ Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins. """ -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Group Policy Abuse for Privilege Addition" @@ -75,7 +75,7 @@ tags = [ "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml index eb868f9ce..b3450e863 100644 --- a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml +++ b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml @@ -2,7 +2,7 @@ creation_date = "2021/11/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -12,7 +12,7 @@ description = """ Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO. """ -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Scheduled Task Execution at Scale via GPO" @@ -96,7 +96,7 @@ tags = [ "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml index b8a24031f..4572988bf 100644 --- a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml +++ b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml @@ -2,7 +2,7 @@ creation_date = "2022/04/27" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,7 +14,7 @@ localhost, followed by a sevice creation from the same LogonId. This may indicat relay attack variant that can be used to elevate privilege locally from a domain joined user to local System privileges. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Service Creation via Local Kerberos Authentication" @@ -35,7 +35,7 @@ tags = [ "Tactic: Credential Access", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Resources: Investigation Guide", ] type = "eql" diff --git a/rules/windows/privilege_escalation_make_token_local.toml b/rules/windows/privilege_escalation_make_token_local.toml index b914821a3..512bcab7e 100644 --- a/rules/windows/privilege_escalation_make_token_local.toml +++ b/rules/windows/privilege_escalation_make_token_local.toml @@ -2,7 +2,7 @@ creation_date = "2023/12/04" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -13,7 +13,7 @@ Identifies interactive logon attempt with alternate credentials and by an unusua token to escalate privileges and bypass access controls. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Interactive Logon by an Unusual Process" @@ -23,15 +23,16 @@ rule_id = "61766ef9-48a5-4247-ad74-3349de7eb2ad" setup = """## Setup Audit event 4624 is needed to trigger this rule. - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: System", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_named_pipe_impersonation.toml b/rules/windows/privilege_escalation_named_pipe_impersonation.toml index 896000553..b75be0c16 100644 --- a/rules/windows/privilege_escalation_named_pipe_impersonation.toml +++ b/rules/windows/privilege_escalation_named_pipe_impersonation.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -40,15 +40,15 @@ utilizing a framework such Metasploit's meterpreter getsystem command. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -119,7 +119,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml b/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml index 2ca31c548..56562a07b 100644 --- a/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml +++ b/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/15" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -13,7 +13,7 @@ Identifies a new credentials logon type performed by an unusual process. This ma token forging capability that are often abused to bypass access control restrictions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"] language = "kuery" license = "Elastic License v2" name = "First Time Seen NewCredentials Logon Process" @@ -21,7 +21,7 @@ references = ["https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-m risk_score = 47 rule_id = "e468f3f6-7c4c-45bb-846a-053738b3fe5d" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: System", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml index 4aace1a69..9e9d868ea 100644 --- a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml +++ b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml @@ -2,7 +2,7 @@ creation_date = "2021/12/12" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,7 +14,7 @@ elevate privileges from a standard domain user to a user with domain admin privi vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Potential Privileged Escalation via SamAccountName Spoofing" @@ -27,14 +27,6 @@ references = [ ] risk_score = 73 rule_id = "bdcf646b-08d4-492c-870a-6c04e3700034" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "high" tags = [ "Domain: Endpoint", @@ -45,7 +37,7 @@ tags = [ "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Use Case: Vulnerability", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml index d5e4b5273..1ab090ec6 100644 --- a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml +++ b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "system", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -36,13 +36,13 @@ This can potentially indicate an attempt to elevate privileges or maintain persi """ from = "now-9m" index = [ - "logs-endpoint.events.process-*", - "logs-system.security*", - "winlogbeat-*", - "logs-windows.forwarded*", "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", - "logs-crowdstrike.fdr*" + "logs-system.security*", + "logs-windows.forwarded*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -100,7 +100,7 @@ tags = [ "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Crowdstrike", ] diff --git a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml index 41a65bc6b..da1c2f521 100644 --- a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml +++ b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/11" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -15,7 +15,7 @@ step to exploit CVE-2022-26923 in an attempt to elevate privileges from a standa privileges. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Remote Computer Account DnsHostName Update" @@ -34,7 +34,7 @@ tags = [ "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Use Case: Vulnerability", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml b/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml index 52e443aa2..c8f95b7f3 100644 --- a/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml +++ b/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2022/10/20" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -13,7 +13,7 @@ Identifies the creation of a process running as SYSTEM and impersonating a Windo may create a new process with a different token to escalate privileges and bypass access controls. """ from = "now-9m" -index = ["winlogbeat-*", "logs-windows.*", "logs-system.security*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "SeDebugPrivilege Enabled by a Suspicious Process" @@ -41,7 +41,14 @@ Token Right Adjusted Events (Success) ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: System", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index 51089dc7f..d7cc1793a 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,15 +14,15 @@ stealthily execute code with elevated permissions. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -39,7 +39,7 @@ tags = [ "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index 923b91311..f2c7c23ec 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/17" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -40,15 +40,15 @@ elevated permissions. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -120,7 +120,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index b9bd82cad..41c0ca0ac 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -40,15 +40,15 @@ Attackers may bypass UAC to stealthily execute code with elevated permissions. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -119,7 +119,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/privilege_escalation_unquoted_service_path.toml b/rules/windows/privilege_escalation_unquoted_service_path.toml index 2a522c081..e833d2756 100644 --- a/rules/windows/privilege_escalation_unquoted_service_path.toml +++ b/rules/windows/privilege_escalation_unquoted_service_path.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/13" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows", "system"] maturity = "production" -updated_date = "2025/02/14" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,7 +14,14 @@ higher-level directory within the path of an unquoted service executable, Window from its defined path variable instead of the benign one in a deeper directory, thus leading to code execution. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "endgame-*", "logs-windows.sysmon_operational-*", "logs-system.security*"] +index = [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Potential Exploitation of an Unquoted Service Path Vulnerability" @@ -31,7 +38,7 @@ tags = [ "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Data Source: Sysmon", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index 1b26d6208..f5bc7027f 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -40,15 +40,15 @@ activity on a system. """ from = "now-9m" index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "logs-crowdstrike.fdr*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", ] language = "eql" license = "Elastic License v2" @@ -119,7 +119,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml index 09b99466e..1818cfcba 100644 --- a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml +++ b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/06" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -19,21 +19,13 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "logs-system.security*"] +index = ["logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Unusual Print Spooler Child Process" references = ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"] risk_score = 47 rule_id = "ee5300a7-7e31-4a72-a258-250abb8b3aa1" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -42,7 +34,7 @@ tags = [ "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml index 96324cd62..bb3ec426e 100644 --- a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml +++ b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/07" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,7 +14,7 @@ privileges but are executed under SYSTEM privileges, so an adversary may also us administrator to SYSTEM. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Windows Service Installed via an Unusual Client" @@ -48,7 +48,7 @@ tags = [ "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", - "Data Source: System", + "Data Source: Windows Security Event Logs", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules_building_block/collection_outlook_email_archive.toml b/rules_building_block/collection_outlook_email_archive.toml index 921f28610..e62bcef9a 100644 --- a/rules_building_block/collection_outlook_email_archive.toml +++ b/rules_building_block/collection_outlook_email_archive.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/21" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/10/28" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,7 +14,13 @@ Identifies commands containing references to Outlook data files extensions, whic access, or modification of these files. """ from = "now-119m" -index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "winlogbeat-*"] +index = [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-system.security*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", +] interval = "60m" language = "eql" license = "Elastic License v2" @@ -31,7 +37,7 @@ tags = [ "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Elastic Endgame", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/command_and_control_bitsadmin_activity.toml b/rules_building_block/command_and_control_bitsadmin_activity.toml index 2b54cbba5..d2170ca13 100644 --- a/rules_building_block/command_and_control_bitsadmin_activity.toml +++ b/rules_building_block/command_and_control_bitsadmin_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/21" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/10/28" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,7 +14,13 @@ Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, async Adversaries may abuse BITS to persist, download, execute, and even clean up after running malicious code. """ from = "now-119m" -index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "winlogbeat-*"] +index = [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-system.security*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", +] interval = "60m" language = "eql" license = "Elastic License v2" @@ -31,7 +37,7 @@ tags = [ "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Elastic Endgame", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml index 1eed992f9..a2cbeacc1 100644 --- a/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -5,7 +5,7 @@ integration = ["endpoint", "windows", "system"] min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" maturity = "production" -updated_date = "2024/10/28" +updated_date = "2025/02/21" [rule] author = ["Elastic"] @@ -15,13 +15,7 @@ Identifies the Internet Information Services (IIS) command-line tool, AppCmd, be with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Microsoft IIS Service Account Password Dumped" @@ -37,7 +31,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/credential_access_win_private_key_access.toml b/rules_building_block/credential_access_win_private_key_access.toml index 3f148849b..b310d2c5f 100644 --- a/rules_building_block/credential_access_win_private_key_access.toml +++ b/rules_building_block/credential_access_win_private_key_access.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/21" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/01/10" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -11,7 +11,13 @@ author = ["Elastic"] building_block_type = "default" description = "Attackers may try to access private keys, e.g. ssh, in order to gain further authenticated access to the environment.\n" from = "now-119m" -index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "winlogbeat-*"] +index = [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-system.security*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", +] interval = "60m" language = "eql" license = "Elastic License v2" @@ -28,7 +34,7 @@ tags = [ "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Elastic Endgame", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml b/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml index 45e62b406..9bf8d3042 100644 --- a/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml +++ b/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/10/28" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -11,7 +11,13 @@ author = ["Elastic"] building_block_type = "default" description = "Attackers may abuse cmd.exe commands to reassemble binary fragments into a malicious payload.\n" from = "now-119m" -index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "winlogbeat-*"] +index = [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-system.security*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", +] interval = "60m" language = "eql" license = "Elastic License v2" @@ -29,7 +35,7 @@ tags = [ "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Elastic Endgame", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/defense_evasion_cmstp_execution.toml b/rules_building_block/defense_evasion_cmstp_execution.toml index 76a5c196c..74c2776b8 100644 --- a/rules_building_block/defense_evasion_cmstp_execution.toml +++ b/rules_building_block/defense_evasion_cmstp_execution.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/24" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/01/10" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -16,7 +16,13 @@ service profiles, which accept installation information file (INF) files. Advers execution of malicious code by supplying INF files that contain malicious commands. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "winlogbeat-*"] +index = [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-system.security*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", +] language = "eql" license = "Elastic License v2" name = "Potential Defense Evasion via CMSTP.exe" @@ -33,7 +39,7 @@ tags = [ "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Elastic Endgame", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml b/rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml index 68ad590b5..55afd9005 100644 --- a/rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml +++ b/rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/24" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/10/28" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -11,13 +11,7 @@ author = ["Elastic"] building_block_type = "default" description = "Identifies indirect command execution via Program Compatibility Assistant (pcalua.exe) or forfiles.exe.\n" from = "now-119m" -index = [ - "logs-endpoint.events.process-*", - "logs-system.security*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", -] +index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] interval = "60m" language = "eql" license = "Elastic License v2" @@ -33,7 +27,7 @@ tags = [ "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/defense_evasion_installutil_command_activity.toml b/rules_building_block/defense_evasion_installutil_command_activity.toml index f0718951b..64165d53d 100644 --- a/rules_building_block/defense_evasion_installutil_command_activity.toml +++ b/rules_building_block/defense_evasion_installutil_command_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/24" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/10/28" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -15,13 +15,7 @@ installer components specified in .NET binaries. Adversaries may use InstallUtil a trusted Windows utility. """ from = "now-119m" -index = [ - "logs-endpoint.events.process-*", - "logs-system.security*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", -] +index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] interval = "60m" language = "eql" license = "Elastic License v2" @@ -37,7 +31,7 @@ tags = [ "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml b/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml index 1c7efb230..7854e0caa 100644 --- a/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml +++ b/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/26" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/10/28" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,13 +14,7 @@ Identifies the execution of the Microsoft Diagnostic Wizard to open a diagcab fi unusual parent process. This may indicate an attempt to execute malicious Troubleshooting Pack Cabinet files. """ from = "now-119m" -index = [ - "logs-endpoint.events.process-*", - "logs-system.security*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", -] +index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] interval = "60m" language = "eql" license = "Elastic License v2" @@ -37,7 +31,7 @@ tags = [ "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/defense_evasion_services_exe_path.toml b/rules_building_block/defense_evasion_services_exe_path.toml index f31ea2967..088e46ce1 100644 --- a/rules_building_block/defense_evasion_services_exe_path.toml +++ b/rules_building_block/defense_evasion_services_exe_path.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/10/28" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,7 +14,13 @@ Identifies attempts to modify a service path setting using sc.exe. Attackers may persistence or privilege escalation. """ from = "now-119m" -index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "winlogbeat-*"] +index = [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-system.security*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", +] interval = "60m" language = "eql" license = "Elastic License v2" @@ -31,7 +37,7 @@ tags = [ "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/defense_evasion_unusual_process_path_wbem.toml b/rules_building_block/defense_evasion_unusual_process_path_wbem.toml index f5ab763eb..70173ff15 100644 --- a/rules_building_block/defense_evasion_unusual_process_path_wbem.toml +++ b/rules_building_block/defense_evasion_unusual_process_path_wbem.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/10/28" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -11,13 +11,7 @@ author = ["Elastic"] building_block_type = "default" description = "Identifies unusual processes running from the WBEM path, uncommon outside WMI-related Windows processes.\n" from = "now-119m" -index = [ - "logs-endpoint.events.process-*", - "logs-system.security*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", -] +index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] interval = "60m" language = "eql" license = "Elastic License v2" @@ -33,7 +27,7 @@ tags = [ "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/defense_evasion_write_dac_access.toml b/rules_building_block/defense_evasion_write_dac_access.toml index de838caec..1d1c148c5 100644 --- a/rules_building_block/defense_evasion_write_dac_access.toml +++ b/rules_building_block/defense_evasion_write_dac_access.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/15" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/10/28" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -52,7 +52,7 @@ tags = [ "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Rule Type: BBR", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml b/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml index 8c4a07057..b9a6fec30 100644 --- a/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml +++ b/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2022/11/01" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/01/09" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -15,7 +15,7 @@ Identifies the execution of discovery commands to enumerate system information, Command Shell. """ from = "now-9m" -index = ["winlogbeat-*", "logs-windows.*", "logs-endpoint.events.process-*", "endgame-*", "logs-system.security*"] +index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "System Information Discovery via Windows Command Shell" @@ -48,14 +48,6 @@ This rule identifies commands to enumerate system information, files, and folder """ risk_score = 21 rule_id = "d68e95ad-1c82-4074-a12a-125fe10ac8ba" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "low" tags = [ "Domain: Endpoint", @@ -67,7 +59,7 @@ tags = [ "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/discovery_generic_process_discovery.toml b/rules_building_block/discovery_generic_process_discovery.toml index 6e0ff3dec..e2de88493 100644 --- a/rules_building_block/discovery_generic_process_discovery.toml +++ b/rules_building_block/discovery_generic_process_discovery.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/07/13" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/01/09" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -15,13 +15,7 @@ This rule identifies the execution of commands that can be used to enumerate run enumerate processes to identify installed applications and security solutions. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "logs-system.security*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", -] +index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Process Discovery Using Built-in Tools" @@ -36,7 +30,7 @@ tags = [ "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/discovery_net_share_discovery_winlog.toml b/rules_building_block/discovery_net_share_discovery_winlog.toml index 3194c5290..1842896d8 100644 --- a/rules_building_block/discovery_net_share_discovery_winlog.toml +++ b/rules_building_block/discovery_net_share_discovery_winlog.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/14" integration = ["windows", "system"] maturity = "production" -updated_date = "2024/10/28" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,7 +14,7 @@ Adversaries may look for folders and drives shared on remote systems to identify precursor for collection and identify potential systems of interest for Lateral Movement. """ from = "now-119m" -index = ["winlogbeat-*", "logs-windows.*", "logs-system.security*"] +index = ["logs-system.security*", "logs-windows.*", "winlogbeat-*"] interval = "60m" language = "eql" license = "Elastic License v2" @@ -29,7 +29,7 @@ tags = [ "Tactic: Discovery", "Tactic: Collection", "Rule Type: BBR", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] type = "eql" diff --git a/rules_building_block/discovery_security_software_wmic.toml b/rules_building_block/discovery_security_software_wmic.toml index 7c419eed4..e56e9b0e2 100644 --- a/rules_building_block/discovery_security_software_wmic.toml +++ b/rules_building_block/discovery_security_software_wmic.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2020/10/19" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/10/28" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -15,13 +15,7 @@ Identifies the use of Windows Management Instrumentation Command (WMIC) to disco such as AntiVirus or Host Firewall details. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Security Software Discovery using WMIC" @@ -55,14 +49,6 @@ This rule looks for the execution of the `wmic` utility with arguments compatibl """ risk_score = 47 rule_id = "6ea55c81-e2ba-42f2-a134-bccf857ba922" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -73,7 +59,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/discovery_system_service_discovery.toml b/rules_building_block/discovery_system_service_discovery.toml index c70601ed3..c5519bc74 100644 --- a/rules_building_block/discovery_system_service_discovery.toml +++ b/rules_building_block/discovery_system_service_discovery.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/01/24" integration = ["windows", "endpoint", "system"] maturity = "production" -updated_date = "2024/10/28" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -16,13 +16,7 @@ reconnaissance phase after compromising a system in order to gain a better under escalate privileges. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "System Service Discovery through built-in Windows Utilities" @@ -37,7 +31,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Rule Type: BBR", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/discovery_system_time_discovery.toml b/rules_building_block/discovery_system_time_discovery.toml index d58b327e2..1e62fda4a 100644 --- a/rules_building_block/discovery_system_time_discovery.toml +++ b/rules_building_block/discovery_system_time_discovery.toml @@ -5,7 +5,7 @@ integration = ["windows", "endpoint", "system"] min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" maturity = "production" -updated_date = "2024/10/28" +updated_date = "2025/02/21" [rule] author = ["Elastic"] @@ -15,13 +15,7 @@ Detects the usage of commonly used system time discovery techniques, which attac phase after compromising a system. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "System Time Discovery" @@ -36,7 +30,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Rule Type: BBR", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/discovery_windows_system_information_discovery.toml b/rules_building_block/discovery_windows_system_information_discovery.toml index af6dab02a..a498c69d5 100644 --- a/rules_building_block/discovery_windows_system_information_discovery.toml +++ b/rules_building_block/discovery_windows_system_information_discovery.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/07/06" integration = ["windows", "endpoint", "system"] maturity = "production" -updated_date = "2024/10/28" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -15,7 +15,7 @@ Detects the execution of commands used to discover information about the system, compromising a system to gain situational awareness. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Windows System Information Discovery" @@ -30,7 +30,7 @@ tags = [ "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/execution_wmi_wbemtest.toml b/rules_building_block/execution_wmi_wbemtest.toml index 7e0591100..35ebcffc2 100644 --- a/rules_building_block/execution_wmi_wbemtest.toml +++ b/rules_building_block/execution_wmi_wbemtest.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/24" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/10/28" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,13 +14,7 @@ Adversaries may abuse the WMI diagnostic tool, wbemtest.exe, to enumerate WMI ob local or remote endpoints. """ from = "now-119m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] interval = "60m" language = "eql" license = "Elastic License v2" @@ -36,7 +30,7 @@ tags = [ "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/lateral_movement_at.toml b/rules_building_block/lateral_movement_at.toml index 7d63c514b..57593d58f 100644 --- a/rules_building_block/lateral_movement_at.toml +++ b/rules_building_block/lateral_movement_at.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/21" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/10/28" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,13 +14,7 @@ Identifies use of at.exe to interact with the task scheduler on remote hosts. Re execution could be indicative of adversary lateral movement. """ from = "now-119m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] interval = "60m" language = "eql" license = "Elastic License v2" @@ -36,7 +30,7 @@ tags = [ "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/lateral_movement_wmic_remote.toml b/rules_building_block/lateral_movement_wmic_remote.toml index 0125b3949..63d3a181f 100644 --- a/rules_building_block/lateral_movement_wmic_remote.toml +++ b/rules_building_block/lateral_movement_wmic_remote.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/24" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/10/28" +updated_date = "2025/02/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,7 +14,13 @@ Identifies the use of wmic.exe to run commands on remote hosts. While this can b attackers can abuse this built-in utility to achieve lateral movement. """ from = "now-119m" -index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "winlogbeat-*"] +index = [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-system.security*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", +] interval = "60m" language = "eql" license = "Elastic License v2" @@ -31,7 +37,7 @@ tags = [ "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Elastic Endgame", - "Data Source: System", + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "eql" diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index 850e8da12..d898b0f34 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -351,6 +351,9 @@ class TestRuleTags(BaseRuleTest): 'logs-endpoint.alerts-*': {'all': ['Data Source: Elastic Defend']}, 'logs-windows.sysmon_operational-*': {'all': ['Data Source: Sysmon']}, 'logs-windows.powershell*': {'all': ['Data Source: PowerShell Logs']}, + 'logs-system.security*': {'all': ['Data Source: Windows Security Event Logs']}, + 'logs-system.forwarded*': {'all': ['Data Source: Windows Security Event Logs']}, + 'logs-system.system*': {'all': ['Data Source: Windows System Event Logs']}, 'logs-sentinel_one_cloud_funnel.*': {'all': ['Data Source: SentinelOne']}, 'logs-fim.event-*': {'all': ['Data Source: File Integrity Monitoring']}, 'logs-m365_defender.event-*': {'all': ['Data Source: Microsoft Defender for Endpoint']},