[Rule Tuning] Update rules based on docs review (#1778)

* Update rules based on docs review * trivial change to trigger CLA * undo changes from triggering build Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
2022-02-16 13:42:06 -03:00
parent 3227d65cd8
commit dec4243db0
28 changed files with 113 additions and 111 deletions
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/07/14"
 maturity = "production"
-updated_date = "2021/07/14"
+updated_date = "2022/02/16"
 min_stack_comments = "The field `event.agent_id_status` was not introduced until 7.14"
 min_stack_version = "7.15.0"

@@ -13,7 +13,7 @@ indicate attempts to spoof events in order to masquerade actual activity to evad
 """
 false_positives = [
    """
-    This is meant to run only on datasources using agents v7.14+ since versions prior to that will be missing the
+    This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the
    necessary field, resulting in false positives.
    """,
 ]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/07/14"
 maturity = "production"
-updated_date = "2021/07/14"
+updated_date = "2022/02/16"
 min_stack_comments = "The field `event.agent_id_status` was not introduced until 7.14"
 min_stack_version = "7.15.0"

@@ -13,7 +13,7 @@ masquerade actual activity to evade detection.
 """
 false_positives = [
    """
-    This is meant to run only on datasources using agents v7.14+ since versions prior to that will be missing the
+    This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the
    necessary field, resulting in false positives.
    """,
 ]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/11/24"
 maturity = "production"
-updated_date = "2022/02/10"
+updated_date = "2022/02/16"
 min_stack_comments = "Threat index is ECS 1.11 compliant (8.0)."
 min_stack_version = "8.0"

@@ -35,18 +35,18 @@ If an indicator matches a local observation, the following enriched fields will

 #### Possible investigation steps:
 - Investigation should be validated and reviewed based on the data (file hash, registry path, URL, imphash) that was matched
-and viewing the source of that activity.
+and by viewing the source of that activity.
 - Consider the history of the indicator that was matched. Has it happened before? Is it happening on multiple machines?
 These kinds of questions can help understand if the activity is related to legitimate behavior.
- Consider the user and their role within the company, is this something related to their job or work function?
+- Consider the user and their role within the company: is this something related to their job or work function?

 ### False Positive Analysis
 - For any matches found, it's important to consider the initial release date of that indicator. Threat intelligence can
 be a great tool for augmenting existing security processes, while at the same time it should be understood that threat
 intelligence can represent a specific set of activity observed at a point in time. For example, an IP address
-may have hosted malware observed in a Dridex campaign month ago, but it's possible that IP has been remediated and
+may have hosted malware observed in a Dridex campaign months ago, but it's possible that IP has been remediated and
 no longer represents any threat.
- Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`, these tools often find their
+- Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`; these tools often find their
 way into indicator lists creating the potential for false positives.
 - It's possible after large and publicly written campaigns, curious employees might end up going directly to attacker infrastructure and triggering these rules.

@@ -1,14 +1,14 @@
 [metadata]
 creation_date = "2021/04/21"
 maturity = "production"
-updated_date = "2022/01/26"
+updated_date = "2022/02/16"
 min_stack_comments = "Threat intel module fields were updated from `threatintel.*` to `threat.*` in ECS 1.11 (7.16)."
 min_stack_version = "8.0"

 [rule]
 author = ["Elastic"]
 description = """
-This rule is triggered when indicators from the Threat Intel integrations has a match against local file or network observations.
+This rule is triggered when indicators from the Threat Intel integrations have a match against local file or network observations.
 """
 from = "now-65m"
 index = ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"]
@@ -35,18 +35,18 @@ If an indicator matches a local observation, the following enriched fields will

 #### Possible investigation steps:
 - Investigation should be validated and reviewed based on the data (file hash, registry path, URL, imphash) that was matched
-and viewing the source of that activity.
+and by viewing the source of that activity.
 - Consider the history of the indicator that was matched. Has it happened before? Is it happening on multiple machines?
 These kinds of questions can help understand if the activity is related to legitimate behavior.
- Consider the user and their role within the company, is this something related to their job or work function?
+- Consider the user and their role within the company: is this something related to their job or work function?

 ### False Positive Analysis
 - For any matches found, it's important to consider the initial release date of that indicator. Threat intelligence can
 be a great tool for augmenting existing security processes, while at the same time it should be understood that threat
 intelligence can represent a specific set of activity observed at a point in time. For example, an IP address
-may have hosted malware observed in a Dridex campaign month ago, but it's possible that IP has been remediated and
+may have hosted malware observed in a Dridex campaign months ago, but it's possible that IP has been remediated and
 no longer represents any threat.
- Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`, these tools often find their
+- Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`; these tools often find their
 way into indicator lists creating the potential for false positives.
 - It's possible after large and publicly written campaigns, curious employees might end up going directly to attacker infrastructure and triggering these rules.

@@ -1,14 +1,14 @@
 [metadata]
 creation_date = "2021/08/27"
 maturity = "production"
-updated_date = "2021/12/14"
+updated_date = "2022/02/16"
 integration = "azure"

 [rule]
 author = ["Austin Songer"]
 description = """
 Identifies the creation of suppression rules in Azure. Suppression rules are a mechanism used to suppress alerts
-previously identified as False Positives or too noisy to be in Production. This mechanism can be abused or mistakenly
+previously identified as false positives or too noisy to be in production. This mechanism can be abused or mistakenly
 configured, resulting in defense evasions and loss of security visibility.
 """
 false_positives = [
@@ -1,16 +1,16 @@
 [metadata]
 creation_date = "2020/09/22"
 maturity = "production"
-updated_date = "2021/07/20"
+updated_date = "2022/02/16"
 integration = "gcp"

 [rule]
 author = ["Elastic"]
 description = """
-Identifies when a Virtual Private Cloud a virtual private cloud (VPC) route is created in Google Cloud Platform (GCP).
-Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other
-destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in
-order to impact the flow of network traffic in their target's cloud environment.
+Identifies when a virtual private cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes
+define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These
+destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the
+flow of network traffic in their target's cloud environment.
 """
 false_positives = [
    """
@@ -2,7 +2,7 @@
 creation_date = "2022/01/13"
 integration = "o365"
 maturity = "production"
-updated_date = "2022/01/13"
+updated_date = "2022/02/16"

 [rule]
 author = ["Elastic"]
@@ -15,7 +15,7 @@ administrators can create bypass associations, allowing certain accounts to perf
 Attackers can abuse this allowlist mechanism to conceal actions taken, as the mailbox audit will log no activity done by
 the account.
 """
-false_positives = ["Legitimate whitelisting of noisy accounts"]
+false_positives = ["Legitimate allowlisting of noisy accounts"]
 from = "now-30m"
 index = ["filebeat-*", "logs-o365*"]
 language = "kuery"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/19"
 maturity = "production"
-updated_date = "2021/11/30"
+updated_date = "2022/02/16"

 [rule]
 author = ["Elastic"]
@@ -25,8 +25,8 @@ computer.
 #### Possible investigation steps:

 - Examine script content that triggered the detection. 
- Investigate script execution chain (parent process tree)
- Inspect any file or network events from the suspicious powershell host process instance.
+- Investigate script execution chain (parent process tree).
+- Inspect any file or network events from the suspicious PowerShell host process instance.
 - If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.

 ### False Positive Analysis
@@ -1,12 +1,12 @@
 [metadata]
 creation_date = "2021/10/15"
 maturity = "production"
-updated_date = "2021/11/30"
+updated_date = "2022/02/16"

 [rule]
 author = ["Elastic"]
 description = """
-Detects the use of Win32 API Functions that can be used to capture user Keystrokes in PowerShell Scripts.
+Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts.
 Attackers use this technique to capture user input, looking for credentials and/or other valuable data.
 """
 from = "now-9m"
@@ -20,14 +20,14 @@ note = """## Triage and analysis.

 PowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks.

-Attackers can abuse PowerShell capabilities to capture user Keystrokes with the goal of stealing credentials and other
-valuable information as Credit Card data and confidential conversations.
+Attackers can abuse PowerShell capabilities to capture user keystrokes with the goal of stealing credentials and other
+valuable information as credit card data and confidential conversations.

 #### Possible investigation steps:

 - Examine script content that triggered the detection. 
- Investigate script execution chain (parent process tree)
- Inspect any file or network events from the suspicious powershell host process instance.
+- Investigate script execution chain (parent process tree).
+- Inspect any file or network events from the suspicious PowerShell host process instance.
 - If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.

 ### False Positive Analysis
@@ -1,13 +1,13 @@
 [metadata]
 creation_date = "2021/10/19"
 maturity = "production"
-updated_date = "2021/10/19"
+updated_date = "2022/02/16"

 [rule]
 author = ["Elastic"]
 description = """
-Detects PowerShell Scripts that can take screenshots, which is a common feature in post-exploitation kits and RATs
-(Remote Access Tools).
+Detects PowerShell scripts that can take screenshots, which is a common feature in post-exploitation kits and remote
+access tools (RATs).
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-windows.*"]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/02"
 maturity = "production"
-updated_date = "2021/10/13"
+updated_date = "2022/02/16"

 [rule]
 author = ["Elastic"]
@@ -30,7 +30,7 @@ query = '''
 network where event.type == "start" and network.direction : ("outgoing", "egress") and
 destination.port == 88 and source.port >= 49152 and
 process.executable != "C:\\Windows\\System32\\lsass.exe" and destination.address !="127.0.0.1" and destination.address !="::1" and
- /* insert False Positives here */
+ /* insert false positives here */
 not process.name in ("swi_fc.exe", "fsIPcam.exe", "IPCamera.exe", "MicrosoftEdgeCP.exe", "MicrosoftEdge.exe", "iexplore.exe", "chrome.exe", "msedge.exe", "opera.exe", "firefox.exe")
 '''

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/05"
 maturity = "production"
-updated_date = "2021/11/30"
+updated_date = "2022/02/16"

 [rule]
 author = ["Elastic"]
@@ -9,7 +9,7 @@ description = """
 This rule detects PowerShell scripts capable of dumping process memory using WindowsErrorReporting or
 Dbghelp.dll MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials.
 """
-false_positives = ["Powershell Scripts that use this capability for troubleshooting."]
+false_positives = ["PowerShell scripts that use this capability for troubleshooting."]
 from = "now-9m"
 index = ["winlogbeat-*", "logs-windows.*"]
 language = "kuery"
@@ -27,8 +27,8 @@ information stored in the process memory.
 #### Possible investigation steps:

 - Examine script content that triggered the detection. 
- Investigate script execution chain (parent process tree)
- Inspect any file or network events from the suspicious powershell host process instance.
+- Investigate script execution chain (parent process tree).
+- Inspect any file or network events from the suspicious PowerShell host process instance.
 - If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.

 ### False Positive Analysis
@@ -1,6 +1,6 @@
 [metadata]
 creation_date = "2021/10/17"
-updated_date = "2021/10/17"
+updated_date = "2022/02/16"
 maturity = "production"


@@ -8,7 +8,7 @@ maturity = "production"
 author = ["Elastic"]
 description = """
 Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a
-process memory. This may indicate an attempt to dump LSASS memory while bypassing command line based detection in
+process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in
 preparation for credential access.
 """
 from = "now-9m"
@@ -1,13 +1,13 @@
 [metadata]
 creation_date = "2021/10/07"
 maturity = "production"
-updated_date = "2022/01/24"
+updated_date = "2022/02/16"

 [rule]
 author = ["Elastic"]
 description = """
 Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export
-the MiniDumpWriteDump method that can be used to dump LSASS memory content in preperation for credential access.
+the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-windows.*"]
@@ -1,6 +1,6 @@
 [metadata]
 creation_date = "2021/10/14"
-updated_date = "2021/10/14"
+updated_date = "2022/02/16"
 maturity = "production"
 min_stack_version = "7.14.0"
 min_stack_comments = "Cardinality field not added to threshold rule type until 7.14."
@@ -9,7 +9,7 @@ min_stack_comments = "Cardinality field not added to threshold rule type until 7
 [rule]
 author = ["Elastic"]
 description = """
-Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process access are performed
+Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed
 by the same process and targeting two different instances of LSASS. This may indicate an attempt to evade detection and
 dump LSASS memory for credential access.
 """
@@ -20,7 +20,7 @@ license = "Elastic License v2"
 name = "Potential LSASS Memory Dump via PssCaptureSnapShot"
 note = """## Config

-This is meant to run only on datasources using agents v7.14+ since versions prior to that will be missing the threshold
+This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold
 rule cardinality feature."""
 references = [
    "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/",
@@ -1,14 +1,15 @@
 [metadata]
 creation_date = "2021/12/25"
 maturity = "production"
-updated_date = "2021/12/31"
+updated_date = "2022/02/16"

 [rule]
 author = ["Austin Songer"]
 description = """
-Identifies the creation of symbolic links to a shadow copy. Symbolic Links can be used to access files in the shadow copy, including sensitive files that may contain credential information.
+Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow
+copy, including sensitive files that may contain credential information.
 """
-false_positives = ["Legitimate administrative activity related to shadow copies"]
+false_positives = ["Legitimate administrative activity related to shadow copies."]
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] 
 language = "eql"
@@ -1,13 +1,13 @@
 [metadata]
 creation_date = "2021/10/15"
 maturity = "production"
-updated_date = "2021/10/15"
+updated_date = "2022/02/16"

 [rule]
 author = ["Elastic"]
 description = """
-This rule detects the use of Reflection.Assembly to load PEs and DLLs in memory in Powershell Scripts. Attackers use
-this method to load executables and DLLs without writing to the disk, bypassing security solutions.
+Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerShell scripts. Attackers use this method
+to load executables and DLLs without writing to the disk, bypassing security solutions.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-windows.*"]
@@ -1,15 +1,15 @@
 [metadata]
 creation_date = "2021/10/19"
 maturity = "production"
-updated_date = "2021/10/19"
+updated_date = "2022/02/16"

 [rule]
 author = ["Elastic"]
 description = """
-Identifies the use of .Net functionality for decompression and base64 decoding combined in PowerShell scripts, which Malware and security tools
-heavily use to deobfuscate payloads and load them directly in memory to bypass defenses.
+Identifies the use of .NET functionality for decompression and base64 decoding combined in PowerShell scripts, which 
+malware and security tools heavily use to deobfuscate payloads and load them directly in memory to bypass defenses.
 """
-false_positives = ["Legitimate PowerShell Scripts which makes use of compression and encoding"]
+false_positives = ["Legitimate PowerShell Scripts which makes use of compression and encoding."]
 from = "now-9m"
 index = ["winlogbeat-*", "logs-windows.*"]
 language = "kuery"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/14"
 maturity = "production"
-updated_date = "2021/11/30"
+updated_date = "2022/02/16"

 [rule]
 author = ["Elastic"]
@@ -9,7 +9,7 @@ description = """
 Detects the use of Windows API functions that are commonly abused by malware and security tools to load 
 malicious code or inject it into remote processes.
 """
-false_positives = ["Legitimate Powershell Scripts that make use of these Functions"]
+false_positives = ["Legitimate PowerShell scripts that make use of these functions."]
 from = "now-9m"
 index = ["winlogbeat-*", "logs-windows.*"]
 language = "kuery"
@@ -24,14 +24,14 @@ PowerShell is one of the main tools used by system administrators for automation
 PowerShell also has solid capabilities to make the interaction with the Win32 API in an uncomplicated and reliable way,
 like the execution of inline C# code, PSReflect, Get-ProcAddress, etc.

-Red Team tooling and Malware Developers take advantage of these capabilities to develop stagers and loaders that inject
+Red Team tooling and malware developers take advantage of these capabilities to develop stagers and loaders that inject
 payloads directly into the memory, without touching the disk.

 #### Possible investigation steps:

 - Examine script content that triggered the detection. 
- Investigate script execution chain (parent process tree)
- Inspect any file or network events from the suspicious powershell host process instance.
+- Investigate script execution chain (parent process tree).
+- Inspect any file or network events from the suspicious PowerShell host process instance.
 - If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.

 ### False Positive Analysis
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/15"
 maturity = "production"
-updated_date = "2021/11/24"
+updated_date = "2022/02/16"


 [rule]
@@ -12,9 +12,9 @@ constraints, like internet and network lateral communication restrictions.
 """
 false_positives = [
    """
-    Windows Firewall can be disabled may be performed by a system administrator. Verify whether the user identity, 
-    user agent, and/or hostname should be making changes in your environment. Windows Profile being disabled by
-    unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    Windows Firewall can be disabled by a system administrator. Verify whether the user identity, user agent, and/or
+    hostname should be making changes in your environment. Windows Profile being disabled by unfamiliar users should be
+    investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
 from = "now-9m"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/13"
 maturity = "production"
-updated_date = "2021/11/30"
+updated_date = "2022/02/16"

 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ This rule detects the use of discovery-related Windows API functions in PowerShe
 functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain
 trusts, groups, etc.
 """
-false_positives = ["Legitimate Powershell Scripts that make use of these Functions"]
+false_positives = ["Legitimate PowerShell scripts that make use of these functions."]
 from = "now-9m"
 index = ["winlogbeat-*", "logs-windows.*"]
 language = "kuery"
@@ -22,14 +22,14 @@ note = """## Triage and analysis.

 PowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks.

-Attackers can use PowerShell to interact with the Win32 API to bypass file based AntiVirus detections, using libraries
+Attackers can use PowerShell to interact with the Win32 API to bypass file based antivirus detections, using libraries
 like PSReflect or Get-ProcAddress Cmdlet.

 #### Possible investigation steps:

 - Examine script content that triggered the detection. 
 - Investigate script execution chain (parent process tree).
- Inspect any file or network events from the suspicious powershell host process instance.
+- Inspect any file or network events from the suspicious PowerShell host process instance.
 - If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.

 ### False Positive Analysis
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/10/15"
 maturity = "production"
-updated_date = "2021/10/15"
+updated_date = "2022/02/16"

 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ license = "Elastic License v2"
 name = "Enumeration of Privileged Local Groups Membership"
 note = """## Config

-This will require Windows security event 4799 by enabling audit success for the windows Account Management category and
+This will require Windows security event 4799 by enabling audit success for the Windows Account Management category and
 the Security Group Management subcategory.
 """
 risk_score = 43
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/15"
 maturity = "production"
-updated_date = "2021/11/30"
+updated_date = "2022/02/16"

 [rule]
 author = ["Elastic"]
@@ -21,14 +21,14 @@ note = """## Triage and analysis.

 PowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks.

-Attackers can abuse PowerShell In-Memory capabilities to inject executables into memory without touching the disk, bypassing
-AntiVirus software. These executables are generally base64 encoded.
+Attackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk,
+bypassing antivirus software. These executables are generally base64 encoded.

 #### Possible investigation steps:

 - Examine script content that triggered the detection. 
 - Investigate script execution chain (parent process tree).
- Inspect any file or network events from the suspicious powershell host process instance.
+- Inspect any file or network events from the suspicious PowerShell host process instance.
 - If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.

 ### False Positive Analysis
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/15"
 maturity = "production"
-updated_date = "2021/10/15"
+updated_date = "2022/02/16"

 [rule]
 author = ["Elastic"]
@@ -9,7 +9,7 @@ description = """
 Detects the use of PSReflect in PowerShell scripts. Attackers leverage PSReflect as a library that enables
 PowerShell to access win32 API functions.
 """
-false_positives = ["Legitimate Powershell Scripts that make use of PSReflect to access the win32 API"]
+false_positives = ["Legitimate PowerShell scripts that make use of PSReflect to access the win32 API"]
 from = "now-9m"
 index = ["winlogbeat-*", "logs-windows.*"]
 language = "kuery"
@@ -26,7 +26,7 @@ create enums and structs easily—all without touching the disk.
 Although this is an interesting project for every developer and admin out there, it is mainly used in the red team and
 malware tooling for its capabilities.

-Detecting the core implementation of PSReflect means detecting most of the tooling that uses windows API through
+Detecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through
 PowerShell, enabling the defender to discover tools being dropped in the environment.

 #### Possible investigation steps:
@@ -48,7 +48,7 @@ PowerShell, enabling the defender to discover tools being dropped in the environ
 - PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70

 ### Response and Remediation
- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further
+- Immediate response should be taken to validate activity, investigate, and potentially isolate activity to prevent further
 post-compromise behavior.

 ## Config
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/11/08"
 maturity = "production"
-updated_date = "2021/11/08"
+updated_date = "2022/02/16"

 [rule]
 author = ["Elastic"]
@@ -18,13 +18,13 @@ note = """## Triage and analysis
 ### Investigating Scheduled Task Execution at Scale via GPO

 Group Policy Objects can be used by attackers as a mechanism for an attacker to instruct an arbitrarily large group of clients to
-execute specified commands at Startup, Logon, Shutdown, and Logoff. This is done by creating/modifying the `scripts.ini` or 
+execute specified commands at startup, logon, shutdown, and logoff. This is done by creating/modifying the `scripts.ini` or 
 `psscripts.ini` files. The scripts are stored in the following path: `<GPOPath>\\Machine\\Scripts\\`, `<GPOPath>\\User\\Scripts\\`

 #### Possible investigation steps:
 - This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the activity is legitimate
 and the administrator is authorized to perform this operation.
- Retrieve the contents of the script file, check for any potentially malicious commands and binaries.
+- Retrieve the contents of the script file, and check for any potentially malicious commands and binaries.
 - If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.

 ### False Positive Analysis
@@ -35,7 +35,7 @@ and the administrator is authorized to perform this operation.
 - Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e

 ### Response and Remediation
- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further
+- Immediate response should be taken to validate activity, investigate, and potentially isolate activity to prevent further
 post-compromise behavior.

 ## Config
@@ -1,13 +1,13 @@
 [metadata]
 creation_date = "2021/11/08"
 maturity = "production"
-updated_date = "2021/11/08"
+updated_date = "2022/02/16"

 [rule]
 author = ["Elastic"]
 description = """
-This rule detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to
-add users as local admins.
+Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or
+use them to add users as local admins.
 """
 index = ["winlogbeat-*", "logs-system.*"]
 language = "kuery"
@@ -17,29 +17,29 @@ note = """## Triage and analysis

 ### Investigating Group Policy Abuse for Privilege Addition

-Group Policy Objects can be used to add rights and/or modify Group Membership on GPOs by changing the contents of an INF file named
-GptTmpl.inf, which is responsible for storing every setting under the Security Settings container in the GPO, this file is unique
-for each GPO, and only exists if the GPO contains security settings.
+Group Policy Objects can be used to add rights and/or modify Group Membership on GPOs by changing the contents of an INF
+file named GptTmpl.inf, which is responsible for storing every setting under the Security Settings container in the GPO.
+This file is unique for each GPO, and only exists if the GPO contains security settings.
 Example Path: "\\\\DC.com\\SysVol\\DC.com\\Policies\\{21B9B880-B2FB-4836-9C2D-2013E0D832E9}\\Machine\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf"

 #### Possible investigation steps:
- This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the activity is legitimate
-and the administrator is authorized to perform this operation.
- Retrieve the contents of the `GptTmpl.inf` file, under the `Privilege Rights` section, look for potentially dangerous high privileges,
-for example: SeTakeOwnershipPrivilege, SeEnableDelegationPrivilege, etc.
+- This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the activity
+is legitimate and the administrator is authorized to perform this operation.
+- Retrieve the contents of the `GptTmpl.inf` file, and under the `Privilege Rights` section, look for potentially
+dangerous high privileges, for example: SeTakeOwnershipPrivilege, SeEnableDelegationPrivilege, etc.
 - Inspect the user SIDs associated with these privileges

 ### False Positive Analysis
 - Verify if these User SIDs should have these privileges enabled.
 - Inspect whether the user that has done these modifications should be allowed to do it. The user name can be found in the
-`winlog.event_data.SubjectUserName` field
+`winlog.event_data.SubjectUserName` field.

 ### Related Rules
 - Scheduled Task Execution at Scale via GPO
 - Startup/Logon Script added to Group Policy Object

 ### Response and Remediation
- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further
+- Immediate response should be taken to validate activity, investigate, and potentially isolate activity to prevent further
 post-compromise behavior.

 ## Config
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/11/08"
 maturity = "production"
-updated_date = "2021/11/08"
+updated_date = "2022/02/16"

 [rule]
 author = ["Elastic"]
@@ -16,14 +16,15 @@ note = """## Triage and analysis

 ### Investigating Scheduled Task Execution at Scale via GPO

-Group Policy Objects can be used by attackers to execute Scheduled Tasks at scale to compromise Objects controlled by a given GPO,
-this is done by changing the contents of the `<GPOPath>\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file.
+Group Policy Objects can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a
+given GPO. This is done by changing the contents of the `<GPOPath>\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml`
+file.

 #### Possible investigation steps:
- This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the activity is legitimate
-and the administrator is authorized to perform this operation.
- Retrieve the contents of the `ScheduledTasks.xml` file, check the `<Command>` and `<Arguments>` XML tags for any potentially malicious
-commands and binaries.
+- This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the activity
+is legitimate and the administrator is authorized to perform this operation.
+- Retrieve the contents of the `ScheduledTasks.xml` file, ánd check the `<Command>` and `<Arguments>` XML tags for any
+potentially malicious commands and binaries.
 - If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.

 ### False Positive Analysis
@@ -34,7 +35,7 @@ commands and binaries.
 - Startup/Logon Script added to Group Policy Object

 ### Response and Remediation
- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further
+- Immediate response should be taken to validate activity, investigate, and potentially isolate activity to prevent further
 post-compromise behavior.

 ## Config
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/11/25"
 maturity = "production"
-updated_date = "2022/02/14"
+updated_date = "2022/02/16"

 [rule]
 author = ["Elastic"]
@@ -21,13 +21,13 @@ note = """## Triage and analysis.
 InstallerFileTakeOver is a weaponized EoP PoC to the CVE-2021-41379 vulnerability. Upon successful exploitation,
 an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.

-This rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copy itself
+This rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself
 to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule.

 #### Possible investigation steps:

- Check for the digital signature of the executable
- Look for additional processes spawned by the process, command lines and network communications.
+- Check for the digital signature of the executable.
+- Look for additional processes spawned by the process, command lines, and network communications.
 - Look for additional alerts involving the host and the user.

 ### False Positive Analysis
@@ -40,7 +40,7 @@ to the location to escalate privileges. An attacker is able to still take over a

 ### Response and Remediation

- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further
+- Immediate response should be taken to validate activity, investigate, and potentially isolate activity to prevent further
 post-compromise behavior.
 """
 references = [