security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Refresh ecs, beats, integration manifests & schemas (#4699)

Browse Source
This commit is contained in:
shashank-elastic
2025-05-05 23:06:40 +05:30
committed by GitHub
parent 18e1103c51
commit e4856d3c2c
104 changed files with 76 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/attack-technique-redirects.json
+3 -2
View File
@@ -130,7 +130,8 @@
"T1522": "T1552.005", "T1522": "T1552.005",
"T1527": "T1550.001", "T1527": "T1550.001",
"T1536": "T1578.004", "T1536": "T1578.004",
"T1547.011": "T1647" "T1547.011": "T1647",
"T1574.002": "T1574.001"
}, },
"saved_date": "Mon Dec 9 14:04:15 2024" "saved_date": "Mon May 5 18:11:43 2025"
} }
detection_rules/etc/attack-v16.1.0.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/attack-v17.0.0.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/beats_schemas/main.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/beats_schemas/v9.0.0.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/master_9.1.0-dev/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/integration-manifests.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/integration-schemas.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/stack-schema-map.yaml
+2 -2
View File
@@ -126,10 +126,10 @@
"9.0.0": "9.0.0":
beats: "9.0.0" beats: "9.0.0"
ecs: "9.0.0-rc1" ecs: "9.0.0"
endgame: "8.4.0" endgame: "8.4.0"
"9.1.0": "9.1.0":
beats: "9.0.0" beats: "9.0.0"
ecs: "9.0.0-rc1" ecs: "9.0.0"
endgame: "8.4.0" endgame: "8.4.0"
detection_rules/integrations.py
+3 -2
View File
@@ -189,7 +189,8 @@ def find_least_compatible_version(package: str, integration: str,
# returns latest major version that is least compatible # returns latest major version that is least compatible
for version, manifest in OrderedDict(sorted(major_integration_manifests.items(), for version, manifest in OrderedDict(sorted(major_integration_manifests.items(),
key=lambda x: Version.parse(x[0]))).items(): key=lambda x: Version.parse(x[0]))).items():
compatible_versions = re.sub(r"\>|\<|\=|\^", "", manifest["conditions"]["kibana"]["version"]).split(" || ") compatible_versions = re.sub(r"\>|\<|\=|\^|\~", "",
manifest["conditions"]["kibana"]["version"]).split(" || ")
for kibana_ver in compatible_versions: for kibana_ver in compatible_versions:
kibana_ver = Version.parse(kibana_ver) kibana_ver = Version.parse(kibana_ver)
# check versions have the same major # check versions have the same major
@@ -222,7 +223,7 @@ def find_latest_compatible_version(package: str, integration: str,
if not version_requirement: if not version_requirement:
raise ValueError(f"Manifest for {package}:{integration} version {version} is missing conditions.") raise ValueError(f"Manifest for {package}:{integration} version {version} is missing conditions.")
compatible_versions = re.sub(r"\>|\<|\=|\^", "", version_requirement).split(" || ") compatible_versions = re.sub(r"\>|\<|\=|\^|\~", "", version_requirement).split(" || ")
if not compatible_versions: if not compatible_versions:
raise ValueError(f"Manifest for {package}:{integration} version {version} is missing compatible versions") raise ValueError(f"Manifest for {package}:{integration} version {version} is missing compatible versions")
pyproject.toml
+1 -1
View File
@@ -1,6 +1,6 @@
[project] [project]
name = "detection_rules" name = "detection_rules"
version = "1.2.0" version = "1.2.1"
description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Securitys Detection Engine." description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Securitys Detection Engine."
readme = "README.md" readme = "README.md"
requires-python = ">=3.12" requires-python = ">=3.12"
rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/08/29" creation_date = "2023/08/29"
integration = ["endpoint"] integration = ["endpoint"]
maturity = "production" maturity = "production"
updated_date = "2025/01/24" updated_date = "2025/05/05"
[rule] [rule]
author = ["Elastic"] author = ["Elastic"]
@@ -142,7 +142,7 @@ reference = "https://attack.mitre.org/techniques/T1036/"
[[rule.threat.technique.subtechnique]] [[rule.threat.technique.subtechnique]]
id = "T1036.003" id = "T1036.003"
name = "Rename System Utilities" name = "Rename Legitimate Utilities"
reference = "https://attack.mitre.org/techniques/T1036/003/" reference = "https://attack.mitre.org/techniques/T1036/003/"
[[rule.threat.technique]] [[rule.threat.technique]]
rules/linux/defense_evasion_prctl_process_name_tampering.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2025/01/09" creation_date = "2025/01/09"
integration = ["auditd_manager"] integration = ["auditd_manager"]
maturity = "production" maturity = "production"
updated_date = "2025/01/15" updated_date = "2025/05/05"
[rule] [rule]
author = ["Elastic"] author = ["Elastic"]
@@ -112,7 +112,7 @@ reference = "https://attack.mitre.org/techniques/T1036/"
[[rule.threat.technique.subtechnique]] [[rule.threat.technique.subtechnique]]
id = "T1036.005" id = "T1036.005"
name = "Match Legitimate Name or Location" name = "Match Legitimate Resource Name or Location"
reference = "https://attack.mitre.org/techniques/T1036/005/" reference = "https://attack.mitre.org/techniques/T1036/005/"
[rule.threat.tactic] [rule.threat.tactic]
rules/linux/defense_evasion_rename_esxi_files.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/04/11" creation_date = "2023/04/11"
integration = ["endpoint"] integration = ["endpoint"]
maturity = "production" maturity = "production"
updated_date = "2025/02/04" updated_date = "2025/05/05"
[rule] [rule]
author = ["Elastic"] author = ["Elastic"]
@@ -108,7 +108,7 @@ name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/" reference = "https://attack.mitre.org/techniques/T1036/"
[[rule.threat.technique.subtechnique]] [[rule.threat.technique.subtechnique]]
id = "T1036.003" id = "T1036.003"
name = "Rename System Utilities" name = "Rename Legitimate Utilities"
reference = "https://attack.mitre.org/techniques/T1036/003/" reference = "https://attack.mitre.org/techniques/T1036/003/"
rules/linux/defense_evasion_rename_esxi_index_file.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/04/11" creation_date = "2023/04/11"
integration = ["endpoint"] integration = ["endpoint"]
maturity = "production" maturity = "production"
updated_date = "2025/02/04" updated_date = "2025/05/05"
[rule] [rule]
author = ["Elastic"] author = ["Elastic"]
@@ -107,7 +107,7 @@ name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/" reference = "https://attack.mitre.org/techniques/T1036/"
[[rule.threat.technique.subtechnique]] [[rule.threat.technique.subtechnique]]
id = "T1036.003" id = "T1036.003"
name = "Rename System Utilities" name = "Rename Legitimate Utilities"
reference = "https://attack.mitre.org/techniques/T1036/003/" reference = "https://attack.mitre.org/techniques/T1036/003/"
rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18" creation_date = "2020/02/18"
integration = ["network_traffic", "panw"] integration = ["network_traffic", "panw"]
maturity = "production" maturity = "production"
updated_date = "2025/01/15" updated_date = "2025/05/05"
[rule] [rule]
author = ["Elastic"] author = ["Elastic"]
@@ -110,7 +110,7 @@ VNC allows remote control of systems, facilitating maintenance and resource shar
framework = "MITRE ATT&CK" framework = "MITRE ATT&CK"
[[rule.threat.technique]] [[rule.threat.technique]]
id = "T1219" id = "T1219"
name = "Remote Access Software" name = "Remote Access Tools"
reference = "https://attack.mitre.org/techniques/T1219/" reference = "https://attack.mitre.org/techniques/T1219/"
rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18" creation_date = "2020/02/18"
integration = ["network_traffic", "panw"] integration = ["network_traffic", "panw"]
maturity = "production" maturity = "production"
updated_date = "2025/01/15" updated_date = "2025/05/05"
[rule] [rule]
author = ["Elastic"] author = ["Elastic"]
@@ -111,7 +111,7 @@ VNC is a tool that allows remote control of computers, often used by administrat
framework = "MITRE ATT&CK" framework = "MITRE ATT&CK"
[[rule.threat.technique]] [[rule.threat.technique]]
id = "T1219" id = "T1219"
name = "Remote Access Software" name = "Remote Access Tools"
reference = "https://attack.mitre.org/techniques/T1219/" reference = "https://attack.mitre.org/techniques/T1219/"
rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/04/03" creation_date = "2023/04/03"
integration = ["endpoint", "windows", "system"] integration = ["endpoint", "windows", "system"]
maturity = "production" maturity = "production"
updated_date = "2025/03/20" updated_date = "2025/05/05"
[rule] [rule]
author = ["Elastic"] author = ["Elastic"]
@@ -282,7 +282,7 @@ host.os.type: "windows" and
framework = "MITRE ATT&CK" framework = "MITRE ATT&CK"
[[rule.threat.technique]] [[rule.threat.technique]]
id = "T1219" id = "T1219"
name = "Remote Access Software" name = "Remote Access Tools"
reference = "https://attack.mitre.org/techniques/T1219/" reference = "https://attack.mitre.org/techniques/T1219/"
rules/windows/command_and_control_screenconnect_childproc.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2024/03/27" creation_date = "2024/03/27"
integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"]
maturity = "production" maturity = "production"
updated_date = "2025/03/20" updated_date = "2025/05/05"
[rule] [rule]
author = ["Elastic"] author = ["Elastic"]
@@ -109,7 +109,7 @@ process where host.os.type == "windows" and event.type == "start" and
framework = "MITRE ATT&CK" framework = "MITRE ATT&CK"
[[rule.threat.technique]] [[rule.threat.technique]]
id = "T1219" id = "T1219"
name = "Remote Access Software" name = "Remote Access Tools"
reference = "https://attack.mitre.org/techniques/T1219/" reference = "https://attack.mitre.org/techniques/T1219/"
rules/windows/command_and_control_teamviewer_remote_file_copy.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/09/02" creation_date = "2020/09/02"
integration = ["endpoint", "sentinel_one_cloud_funnel"] integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production" maturity = "production"
updated_date = "2025/03/20" updated_date = "2025/05/05"
[transform] [transform]
[[transform.osquery]] [[transform.osquery]]
@@ -131,7 +131,7 @@ reference = "https://attack.mitre.org/techniques/T1105/"
[[rule.threat.technique]] [[rule.threat.technique]]
id = "T1219" id = "T1219"
name = "Remote Access Software" name = "Remote Access Tools"
reference = "https://attack.mitre.org/techniques/T1219/" reference = "https://attack.mitre.org/techniques/T1219/"
rules/windows/command_and_control_tunnel_vscode.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2024/09/09" creation_date = "2024/09/09"
integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"]
maturity = "production" maturity = "production"
updated_date = "2025/03/20" updated_date = "2025/05/05"
[rule] [rule]
author = ["Elastic"] author = ["Elastic"]
@@ -94,7 +94,7 @@ process where host.os.type == "windows" and event.type == "start" and
framework = "MITRE ATT&CK" framework = "MITRE ATT&CK"
[[rule.threat.technique]] [[rule.threat.technique]]
id = "T1219" id = "T1219"
name = "Remote Access Software" name = "Remote Access Tools"
reference = "https://attack.mitre.org/techniques/T1219/" reference = "https://attack.mitre.org/techniques/T1219/"
rules/windows/defense_evasion_amsi_bypass_dllhijack.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/01/17" creation_date = "2023/01/17"
integration = ["windows", "endpoint", "sentinel_one_cloud_funnel", "m365_defender"] integration = ["windows", "endpoint", "sentinel_one_cloud_funnel", "m365_defender"]
maturity = "production" maturity = "production"
updated_date = "2025/03/20" updated_date = "2025/05/05"
[transform] [transform]
[[transform.osquery]] [[transform.osquery]]
@@ -164,7 +164,7 @@ name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/" reference = "https://attack.mitre.org/techniques/T1574/"
[[rule.threat.technique.subtechnique]] [[rule.threat.technique.subtechnique]]
id = "T1574.001" id = "T1574.001"
name = "DLL Search Order Hijacking" name = "DLL"
reference = "https://attack.mitre.org/techniques/T1574/001/" reference = "https://attack.mitre.org/techniques/T1574/001/"
rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/08/04" creation_date = "2023/08/04"
integration = ["endpoint"] integration = ["endpoint"]
maturity = "production" maturity = "production"
updated_date = "2025/01/22" updated_date = "2025/05/05"
[rule] [rule]
author = ["Elastic"] author = ["Elastic"]
@@ -269,7 +269,7 @@ reference = "https://attack.mitre.org/techniques/T1036/001/"
[[rule.threat.technique.subtechnique]] [[rule.threat.technique.subtechnique]]
id = "T1036.005" id = "T1036.005"
name = "Match Legitimate Name or Location" name = "Match Legitimate Resource Name or Location"
reference = "https://attack.mitre.org/techniques/T1036/005/" reference = "https://attack.mitre.org/techniques/T1036/005/"
rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/03/25" creation_date = "2020/03/25"
integration = ["endpoint", "windows", "m365_defender"] integration = ["endpoint", "windows", "m365_defender"]
maturity = "production" maturity = "production"
updated_date = "2025/03/20" updated_date = "2025/05/05"
[transform] [transform]
[[transform.osquery]] [[transform.osquery]]
@@ -131,7 +131,7 @@ name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/" reference = "https://attack.mitre.org/techniques/T1036/"
[[rule.threat.technique.subtechnique]] [[rule.threat.technique.subtechnique]]
id = "T1036.003" id = "T1036.003"
name = "Rename System Utilities" name = "Rename Legitimate Utilities"
reference = "https://attack.mitre.org/techniques/T1036/003/" reference = "https://attack.mitre.org/techniques/T1036/003/"
rules/windows/defense_evasion_from_unusual_directory.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/10/30" creation_date = "2020/10/30"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production" maturity = "production"
updated_date = "2025/03/20" updated_date = "2025/05/05"
[transform] [transform]
[[transform.osquery]] [[transform.osquery]]
@@ -182,7 +182,7 @@ name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/" reference = "https://attack.mitre.org/techniques/T1036/"
[[rule.threat.technique.subtechnique]] [[rule.threat.technique.subtechnique]]
id = "T1036.005" id = "T1036.005"
name = "Match Legitimate Name or Location" name = "Match Legitimate Resource Name or Location"
reference = "https://attack.mitre.org/techniques/T1036/005/" reference = "https://attack.mitre.org/techniques/T1036/005/"
rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/08/24" creation_date = "2020/08/24"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production" maturity = "production"
updated_date = "2025/03/20" updated_date = "2025/05/05"
[rule] [rule]
author = ["Elastic"] author = ["Elastic"]
@@ -115,7 +115,7 @@ name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/" reference = "https://attack.mitre.org/techniques/T1036/"
[[rule.threat.technique.subtechnique]] [[rule.threat.technique.subtechnique]]
id = "T1036.005" id = "T1036.005"
name = "Match Legitimate Name or Location" name = "Match Legitimate Resource Name or Location"
reference = "https://attack.mitre.org/techniques/T1036/005/" reference = "https://attack.mitre.org/techniques/T1036/005/"
rules/windows/defense_evasion_masquerading_business_apps_installer.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/09/01" creation_date = "2023/09/01"
integration = ["endpoint"] integration = ["endpoint"]
maturity = "production" maturity = "production"
updated_date = "2025/01/15" updated_date = "2025/05/05"
[rule] [rule]
author = ["Elastic"] author = ["Elastic"]
@@ -215,7 +215,7 @@ reference = "https://attack.mitre.org/techniques/T1036/001/"
[[rule.threat.technique.subtechnique]] [[rule.threat.technique.subtechnique]]
id = "T1036.005" id = "T1036.005"
name = "Match Legitimate Name or Location" name = "Match Legitimate Resource Name or Location"
reference = "https://attack.mitre.org/techniques/T1036/005/" reference = "https://attack.mitre.org/techniques/T1036/005/"
rules/windows/defense_evasion_masquerading_communication_apps.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/05/05" creation_date = "2023/05/05"
integration = ["endpoint"] integration = ["endpoint"]
maturity = "production" maturity = "production"
updated_date = "2025/01/15" updated_date = "2025/05/05"
[rule] [rule]
author = ["Elastic"] author = ["Elastic"]
@@ -141,7 +141,7 @@ reference = "https://attack.mitre.org/techniques/T1036/001/"
[[rule.threat.technique.subtechnique]] [[rule.threat.technique.subtechnique]]
id = "T1036.005" id = "T1036.005"
name = "Match Legitimate Name or Location" name = "Match Legitimate Resource Name or Location"
reference = "https://attack.mitre.org/techniques/T1036/005/" reference = "https://attack.mitre.org/techniques/T1036/005/"
rules/windows/defense_evasion_masquerading_renamed_autoit.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/09/01" creation_date = "2020/09/01"
integration = ["endpoint", "windows", "m365_defender"] integration = ["endpoint", "windows", "m365_defender"]
maturity = "production" maturity = "production"
updated_date = "2025/03/20" updated_date = "2025/05/05"
[transform] [transform]
[[transform.osquery]] [[transform.osquery]]
@@ -128,7 +128,7 @@ name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/" reference = "https://attack.mitre.org/techniques/T1036/"
[[rule.threat.technique.subtechnique]] [[rule.threat.technique.subtechnique]]
id = "T1036.003" id = "T1036.003"
name = "Rename System Utilities" name = "Rename Legitimate Utilities"
reference = "https://attack.mitre.org/techniques/T1036/003/" reference = "https://attack.mitre.org/techniques/T1036/003/"
rules/windows/defense_evasion_masquerading_trusted_directory.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/18" creation_date = "2020/11/18"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production" maturity = "production"
updated_date = "2025/03/20" updated_date = "2025/05/05"
[rule] [rule]
author = ["Elastic"] author = ["Elastic"]
@@ -119,7 +119,7 @@ name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/" reference = "https://attack.mitre.org/techniques/T1036/"
[[rule.threat.technique.subtechnique]] [[rule.threat.technique.subtechnique]]
id = "T1036.005" id = "T1036.005"
name = "Match Legitimate Name or Location" name = "Match Legitimate Resource Name or Location"
reference = "https://attack.mitre.org/techniques/T1036/005/" reference = "https://attack.mitre.org/techniques/T1036/005/"
rules/windows/defense_evasion_masquerading_werfault.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/08/24" creation_date = "2020/08/24"
integration = ["endpoint", "windows"] integration = ["endpoint", "windows"]
maturity = "production" maturity = "production"
updated_date = "2025/03/20" updated_date = "2025/05/05"
[transform] [transform]
[[transform.osquery]] [[transform.osquery]]
@@ -135,7 +135,7 @@ name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/" reference = "https://attack.mitre.org/techniques/T1036/"
[[rule.threat.technique.subtechnique]] [[rule.threat.technique.subtechnique]]
id = "T1036.005" id = "T1036.005"
name = "Match Legitimate Name or Location" name = "Match Legitimate Resource Name or Location"
reference = "https://attack.mitre.org/techniques/T1036/005/" reference = "https://attack.mitre.org/techniques/T1036/005/"
rules/windows/defense_evasion_network_connection_from_windows_binary.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/09/02" creation_date = "2020/09/02"
integration = ["endpoint", "windows"] integration = ["endpoint", "windows"]
maturity = "production" maturity = "production"
updated_date = "2025/03/20" updated_date = "2025/05/05"
[transform] [transform]
[[transform.osquery]] [[transform.osquery]]
@@ -193,7 +193,7 @@ name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/" reference = "https://attack.mitre.org/techniques/T1036/"
[[rule.threat.technique.subtechnique]] [[rule.threat.technique.subtechnique]]
id = "T1036.005" id = "T1036.005"
name = "Match Legitimate Name or Location" name = "Match Legitimate Resource Name or Location"
reference = "https://attack.mitre.org/techniques/T1036/005/" reference = "https://attack.mitre.org/techniques/T1036/005/"
rules/windows/defense_evasion_suspicious_short_program_name.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/15" creation_date = "2020/11/15"
integration = ["endpoint", "windows", "m365_defender"] integration = ["endpoint", "windows", "m365_defender"]
maturity = "production" maturity = "production"
updated_date = "2025/03/20" updated_date = "2025/05/05"
[transform] [transform]
[[transform.osquery]] [[transform.osquery]]
@@ -127,7 +127,7 @@ name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/" reference = "https://attack.mitre.org/techniques/T1036/"
[[rule.threat.technique.subtechnique]] [[rule.threat.technique.subtechnique]]
id = "T1036.003" id = "T1036.003"
name = "Rename System Utilities" name = "Rename Legitimate Utilities"
reference = "https://attack.mitre.org/techniques/T1036/003/" reference = "https://attack.mitre.org/techniques/T1036/003/"
rules/windows/execution_from_unusual_path_cmdline.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/10/30" creation_date = "2020/10/30"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production" maturity = "production"
updated_date = "2025/03/20" updated_date = "2025/05/05"
[transform] [transform]
[[transform.osquery]] [[transform.osquery]]
@@ -259,7 +259,7 @@ name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/" reference = "https://attack.mitre.org/techniques/T1036/"
[[rule.threat.technique.subtechnique]] [[rule.threat.technique.subtechnique]]
id = "T1036.005" id = "T1036.005"
name = "Match Legitimate Name or Location" name = "Match Legitimate Resource Name or Location"
reference = "https://attack.mitre.org/techniques/T1036/005/" reference = "https://attack.mitre.org/techniques/T1036/005/"
rules/windows/execution_suspicious_psexesvc.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/08/14" creation_date = "2020/08/14"
integration = ["endpoint", "windows", "m365_defender"] integration = ["endpoint", "windows", "m365_defender"]
maturity = "production" maturity = "production"
updated_date = "2025/03/20" updated_date = "2025/05/05"
[rule] [rule]
author = ["Elastic"] author = ["Elastic"]
@@ -101,7 +101,7 @@ name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/" reference = "https://attack.mitre.org/techniques/T1036/"
[[rule.threat.technique.subtechnique]] [[rule.threat.technique.subtechnique]]
id = "T1036.003" id = "T1036.003"
name = "Rename System Utilities" name = "Rename Legitimate Utilities"
reference = "https://attack.mitre.org/techniques/T1036/003/" reference = "https://attack.mitre.org/techniques/T1036/003/"
rules/windows/persistence_browser_extension_install.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/08/22" creation_date = "2023/08/22"
integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"]
maturity = "production" maturity = "production"
updated_date = "2025/03/20" updated_date = "2025/05/05"
[rule] [rule]
author = ["Elastic"] author = ["Elastic"]
@@ -100,7 +100,7 @@ file where host.os.type == "windows" and event.type : "creation" and
framework = "MITRE ATT&CK" framework = "MITRE ATT&CK"
[[rule.threat.technique]] [[rule.threat.technique]]
id = "T1176" id = "T1176"
name = "Browser Extensions" name = "Software Extensions"
reference = "https://attack.mitre.org/techniques/T1176/" reference = "https://attack.mitre.org/techniques/T1176/"
rules/windows/privilege_escalation_persistence_phantom_dll.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/01/07" creation_date = "2020/01/07"
integration = ["endpoint", "windows"] integration = ["endpoint", "windows"]
maturity = "production" maturity = "production"
updated_date = "2025/03/20" updated_date = "2025/05/05"
[rule] [rule]
author = ["Elastic"] author = ["Elastic"]
@@ -185,7 +185,7 @@ name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/" reference = "https://attack.mitre.org/techniques/T1574/"
[[rule.threat.technique.subtechnique]] [[rule.threat.technique.subtechnique]]
id = "T1574.001" id = "T1574.001"
name = "DLL Search Order Hijacking" name = "DLL"
reference = "https://attack.mitre.org/techniques/T1574/001/" reference = "https://attack.mitre.org/techniques/T1574/001/"
rules/windows/privilege_escalation_uac_bypass_mock_windir.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/10/26" creation_date = "2020/10/26"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production" maturity = "production"
updated_date = "2025/03/20" updated_date = "2025/05/05"
[transform] [transform]
[[transform.osquery]] [[transform.osquery]]
@@ -157,7 +157,7 @@ name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/" reference = "https://attack.mitre.org/techniques/T1036/"
[[rule.threat.technique.subtechnique]] [[rule.threat.technique.subtechnique]]
id = "T1036.005" id = "T1036.005"
name = "Match Legitimate Name or Location" name = "Match Legitimate Resource Name or Location"
reference = "https://attack.mitre.org/techniques/T1036/005/" reference = "https://attack.mitre.org/techniques/T1036/005/"
rules_building_block/defense_evasion_dll_hijack.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/07/12" creation_date = "2023/07/12"
integration = ["endpoint"] integration = ["endpoint"]
maturity = "production" maturity = "production"
updated_date = "2024/05/21" updated_date = "2025/05/05"
[rule] [rule]
author = ["Elastic"] author = ["Elastic"]
@@ -89,7 +89,7 @@ name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/" reference = "https://attack.mitre.org/techniques/T1574/"
[[rule.threat.technique.subtechnique]] [[rule.threat.technique.subtechnique]]
id = "T1574.001" id = "T1574.001"
name = "DLL Search Order Hijacking" name = "DLL"
reference = "https://attack.mitre.org/techniques/T1574/001/" reference = "https://attack.mitre.org/techniques/T1574/001/"
[[rule.threat.technique.subtechnique]] [[rule.threat.technique.subtechnique]]
rules_building_block/defense_evasion_masquerading_browsers.toml
+2 -2
View File
@@ -3,7 +3,7 @@ bypass_bbr_timing = true
creation_date = "2023/08/02" creation_date = "2023/08/02"
integration = ["endpoint"] integration = ["endpoint"]
maturity = "production" maturity = "production"
updated_date = "2025/01/10" updated_date = "2025/05/05"
[rule] [rule]
author = ["Elastic"] author = ["Elastic"]
@@ -180,7 +180,7 @@ reference = "https://attack.mitre.org/techniques/T1036/001/"
[[rule.threat.technique.subtechnique]] [[rule.threat.technique.subtechnique]]
id = "T1036.005" id = "T1036.005"
name = "Match Legitimate Name or Location" name = "Match Legitimate Resource Name or Location"
reference = "https://attack.mitre.org/techniques/T1036/005/" reference = "https://attack.mitre.org/techniques/T1036/005/"

Some files were not shown because too many files have changed in this diff Show More